From patchwork Mon Aug 12 15:38:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7983 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4WjJZW6rpqz3x41 for ; Mon, 12 Aug 2024 15:38:27 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4WjJZT5Dy3z60l; Mon, 12 Aug 2024 15:38:25 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4WjJZT4STPz341Q; Mon, 12 Aug 2024 15:38:25 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4WjJZH1f9lz32sf for ; Mon, 12 Aug 2024 15:38:15 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4WjJZG5J0wz2MC; Mon, 12 Aug 2024 15:38:14 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1723477094; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/U29BMuP5ERUk0nui2cweRdHtFG3Fkxm3+BxJggBoYk=; b=hf9Ab7LTLPI1I0a3WzYANHMxM2TkgZzzv5DZB9QgzsHBI7lknV+Y4j7NBABdT37Bbu26Qr GtM1fpSLFXLR2eCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1723477094; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/U29BMuP5ERUk0nui2cweRdHtFG3Fkxm3+BxJggBoYk=; b=unf7sMzk399VsxCru5q0l/H8VGFcQr/Igjex0xyOOCcWvnpRlZsMEYRdQIJ1m3JRc26IAR DshyPGy8fpdQ4ZL8tO8WE041miHhbnKUOKRqEk5Yr8ibZ70igMOrVA+bJwFNVv0xMmflDm yk6hmUK3d0weLLd6qBbHKVkv6CjyGX19JQ/2QsPd3JFiYA/THfkdDR0Be7zuu7Tu0xdrGl TpsopfMmPUTQo6+phdTWGgSOQ0i4xtewkMDuEukrDP4SW/GxVSaThw4grCj3AfgvlVrppZ E+OjBSfIu2p8fxv/+RJcdwSTzn4kUDqwdrwuqMIbhgF/KeBDVCj5yp0tUzUILw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] keepalived: Update to version 2.3.1 Date: Mon, 12 Aug 2024 17:38:04 +0200 Message-ID: <20240812153808.3944396-10-adolf.belka@ipfire.org> In-Reply-To: <20240812153808.3944396-1-adolf.belka@ipfire.org> References: <20240812153808.3944396-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: TUU2DZUYZ6R6UD2IIBUBMDR7TZHMPAJZ X-Message-ID-Hash: TUU2DZUYZ6R6UD2IIBUBMDR7TZHMPAJZ X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 2.2.8 to 2.3.1 - Update of rootfile not required - Changelog 2.3.1 This is minutes release to quickly fix minor regression. Fixes conf: fix secondary config file location when using –prefix=/usr Commit 42a746c - “configure: ${prefix} defaults to NONE which messes up DEFAULT_CONFIG_FILE” broke the checking of whether a secondary default config file location is required 2.3.0 This release brings improvements and fix some minor issues reported. Yearly release. New vrrp: For use_vmac and use_ipvlan, copy the group from the base interface. It is useful in many instances to set up firewall rules based on interface groups so that sets of interfaces may be aggregated by group and matched with a single rule rather than by listing them all. Prior to this change, when use_vmac or use_ipvlan is used, new interfaces are created with the default group, which breaks this ability. Further complicating the issue is that nftables resolves interface names to ifindex at load time. This is problematic with keepalived’s interface creation, which usually comes after the firewall loading, forcing the use of iifname, oifname instead (similar to iptables -i, -o). By copying the group value, such firewall rules can continue to work regardless of the use_vmac or use_ipvlan settings, since packets may now arrive on, or be routed out from, the new interfaces. vrrp: Addd name option for use_vmac and use_ipvlan. This is to allow an interface name of “bridge” etc. vrrp: Add interface group option for VMACs and ipvlans. Now that the interface group of a VMAC or ipvlan is set, by default, to match its parent interface, this option now allows the group of the VMAC or ipvlan to be explicitly configured and set. ipvs: Add snmp_rs_stats_update_interval. This compliments snmp_vs_stats_update_interval, and also real server stats are now only fetched from the kernel when there is an SNMP request for them; i.e. VS stats and RS stats are updated separately. conf: Add global keyword use_symlink_paths. By default keepalived resolves all symbolic links in path names of scripts to the real path. This commit adds the use_symlink_paths option to maintain the symlinks in paths, so that users can update symlinks in order to update the scripts being called. doc: Add documentation for MH and TWOS schedulers. global: Add per process gprof profiling. systemd: Add KEEPALIVED_OPTION for non-root service file. systemd: Add comment in non-root service file for old systemds. Improvements vrrp: Remove extraneous log message for netlink interface message. vrrp: Allow DBus to work with VRRP instances without configured interface. keepalived uses “none” for the interface in the DBus path if a VRRP instance has no configured interface. However, it was not checking explicitly for “none” when a query was received. This commit now adds a specific check. vrrp: Allow specification of string used by DBus for no interface. vrrp: check prefix length when checking if deleted address is a VIP. It is possible, for example, to configure both 10.1.0.3/32 and 10.1.0.3/24 on the same interface. When checking whether an address deleted from an interface is one of our VIPs, we need to also check the prefix length. vrrp: Set sysctl arp_ignore to 1 on IPv6 VMACs. Setting arp_ignore to 1 ensures that the VMAC interface does not respond to ARP requests for IPv4 addresses not configured on the VMAC. vrrp: Go to fault state if fail to add IPv6 link-local address to VMAC. If an IPv6 VRRP instance uses a VMAC, but adding a link-local address to the interface fails, then the vrrp instance now transitions to fault state, just as happens if the link-local address is removed after it has been added. vrrp: Don’t send IPv6 advert from interface with no address. If an interface has no IPv6 address, no advert can be sent. Rather that logging an error when the send fails, simply don’t send the advert. vrrp: Check interface for static routes if deleted. vrrp: Check interface for static routes if deleted route_is_ours() checked the outgoing interface for virtual routes but not for static routes. This commit now adds checking of the outgoing interface for static routes, and now moves the code to compare routes into a separate function used for both virtual and static routes. vrrp: remove logging on status output. A message is output to the log each time the status is queried. This is not necessary and can therefore be omitted. vrrp: Use addattr32() for setting link group. Set link group for ipvlan interfaces, just like for VMACs. ipvs: ping check extension. use consistent ICMP id and fix sequence number By keeping the sockets used for pings open, the ICMP id field now remains the same for each echo request. The sequence number is now per ping check, and is now sent in big endian order. ipvs: Reduce logging of activating health checkers. Don’t log activating checkers after a reload if they are already active. ipvs: Remove checkers_queue. A configuration with 2277 virtual servers, with a total of 37205 real servers with each real server having one checker was taking 132 seconds to reload. This commit reduces the reload time to 0.24 seconds, a reduction of 99.8%! The problem was due to every real server iterating through all checkers, 37205 * 37205 = 1,384,212,025 iterations, not only once but several times. The code now maintains a list of checkers for each real server. The disadvantage of this is that to iterate through all checkers requires iterating through all virtual servers, and all their real servers and then for each real server the list of checkers. If there are relatively few checkers compared to real servers, this will take longer than using the checkers_queue, but using a queue per real server is still fast, and the only time the code iterates through all the checkers is at startup/reload, other than dumping the configuration. ipvs: don’t call protocol_to_index() unless using auto fwmarks. protocol_to_index() must only be called when there is an index. This is when the virtual server uses a virtual server group that is using auto fwmarks. ipvs: add set and alive status for sorry servers in keepalived_check.data. ipvs: Reinstate non-failed real servers if remove sorry server. When there is no sorry server, the quorum is not used, and real servers are only removed if a checker fails. On the other hand if there is a sorry server, if the number of alive real servers falls below the quorum, all non-failed real servers are removed when the sorry server is added. If the sorry server is remomed from the configuration, non-failed real servers need to be reinstated. ipvs: don’t remove sorry server if inhibit added but server is alive. ipvs: inhibit extensions: If inhibit is changed on a failed real server, add/remove it. If inhibit is added to inactive sorry server set weight 0. If inhibit cleared for inactive sorry server, clear s_svr->set. ipvs: Add snmp_vs_stats_update_interval for updating SNMP stats. The timer for updating VS and RS stats for SNMP was hard coded to 5 seconds. This commit still deffaults to 5 seconds but allows the timer to be configured. ipvs: Misc SNMP updates and extensions. Don’t duplicate storage of 32 bit SNMP stats. Use correct variable for returning 64 bit stats for SNMP. Add counter64 options for 64 bit SNMP stats. Use SNMP variable3/4/7 instead of variable8 where appropriate. streamline SNMP real server code when no sorry server. Merge several SNMP functions that were doing nearly the same thing. Streamline finding VS group entry for SNMP. Streamline finding RS for SNMP. Streamline finding VS for SNMP. set var_len = 0 when returning an error to SNMP. fix building with SNMP support without using netlink interface. systemd: Change NotifyAccess to be main rather than all for non-root. doc: Clarify documentation for “weight” in track_process. The default value for weight should be 0, and not 1 as previously stated. doc: update description for v3_checksum_as_v2. Fixes vrrp: Stop link local VMAC address responging to neighbour solicit. When an IPv6 VRRP instance using VMAC is in backup state, the link local address configured on the VMAC interface is the same as the link local address on the parent interface of the VMAC. This causes a problem with switches learning the MAC address of the VMAC is now on the backup. This causes packets meant to be sent to the master being sent to the backup. This commit uses nftables/iptables to stop neighbour advertisements for the link local address of the VMAC interface and its parent interface being sent from the VMAC interface. vrrp: fix global skip_check_adv_addr and strict_mode parsing. skip_check_adv_addr and strict_mode take an option parameter, but keepalived wasn’t parsing it, and assumed it was set on/true/yes. vrrp: work around missing promiscuous netlink notifications. If the base interface does not implement IFF_UNICAST_FLT, for example it is a bridge interface, no netlink notification is sent by the kernel when promiscuity is set on the base interface. The promiscuous state of the base interface is correct in the kernel but it is in incorrect in daemons that listen to the interface netlink messages (eg. DPDK). The issue is still there in kernel 6.4.6. Force a notification by re-setting IFLA_GROUP for the base interface. vrrp: Fix specifying netlink_notify_msg for VMAC when name set. Trying to specify a VMAC name as well as netlink_notify_msg did not work for use_vmac. ipvs: fix issue in reload process when using virtual server groups. issue: when using virtual server groups, remove vs entry in configure file and then do reload, vs entry can not be removed. And add vs entry in configure file and the do reload, rs with 0 port will be set. fix: in reload process do the same action with ipvs_group_cmd. set rs port with vs port and update live state ipvs: add/remove sorry server of group server when reload. issue: when using virtual server groups, if all rs down and sorry server up, at this time remove/add vs entry in configure file and then do reload, vs entry can not be removed. fix: add/remove sorry server same as normal rs when reload server groups check: if lost misc check child register checker agagin. issue: misc check_child_thread timeout and remove child_pid form rb_data, timeout callback of check_child_thread is not be called, if at this time misc script done and exit, and child termination will do nothing because child_pid was remove form rb_data. in this case timeou callback will not register checker again, the checker will lost. fix: if lost misc check child register checker again lib: Stop setting MAGIC_PRESERVE_ATIME flag. On RedHat systems setting MAGIC_PRESERVE_ATIME caused SELinux errors. core: make startup/shutdown scripts work when not using –dont-fork. check_start_stop_script_secure() checks that the parent process has not changed while it is doing its checks, so we need to set the pid of the parent process (main_pid) before calling the function. There is a further complication that called getppid() too soon after a fork() with the parent process exiting after the fork means that we don’t get the pid of the new parent, so we need to loop until getppid() returns a diffweent pid. core: initialise script structure in start_validate_reload_conf_child(). Due to the path field not being set to NULL, it was attempting to exec a random string when reload_check_config was configured. systemd: Fix snmp option in non-root service file. Signed-off-by: Adolf Belka --- lfs/keepalived | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/lfs/keepalived b/lfs/keepalived index fbb60a2ff..ed1ad87d3 100644 --- a/lfs/keepalived +++ b/lfs/keepalived @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -26,7 +26,7 @@ include Config SUMMARY = A keepalive facility for Linux -VER = 2.2.8 +VER = 2.3.1 THISAPP = keepalived-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = keepalived -PAK_VER = 15 +PAK_VER = 16 DEPS = @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 3d8d738a0c4e6f00ea8dc3603813d21e52e259d301872f2db16c3373c3a034bedcf3f02e19d1b50855d90bbfece863e710d75a67e2d6dd057dfe451608a73fcb +$(DL_FILE)_BLAKE2 = f4e0de6147f0a33d2d87f12da4dda014fa820ba3502fd8f92eaaa4a8e56d26ea4bb1902df5c7ee13e4b81336e3b237d1ddc8247e443ea351646259c9e1ddb90b install : $(TARGET) @@ -81,8 +81,10 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc \ - --with-kernel-dir=/usr + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --with-kernel-dir=/usr cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install