forked from acassen/keepalived
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
3793 lines (3698 loc) · 204 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
2016-04-02 Alexandre Cassen <[email protected]>
* keepalived-1.2.20 released.
* better VERSION handling
* ipvs: tcp check supports retry.
New tcp check config option "retry" sets the check retry counter.
If tcp check fails on an alive server, keepalived will perform
another checks until n_retry counter reaches zero, or until the check
succeeds. The delay between retry checks is configured by the
"delay_before_retry" config option. The default value is 1 retry after 1 second.
This is the same feature that already exists in HTTP checker
(config option "nb_get_retry").
* check_http: retry logic is refined.
Retry on every error, including timeout and connection
error, but only when RS is up.
This is needed to reduce rs flaps: we shut the server down
only after nb_get_retry failed checks.
Also, do not wait for delay_loop after a successfull check to
bring the server UP.
* ipvs: respect the error code of the ipvs_talk.
Previously, if the IPVS reflector was unable to perform
its task, it reported error through syslog and ignored it.
This behavior leads to inconsistancies with quorum-handler:
it is called with UP even if no RS were added into the IPVS.
This could take place, for example, when there is a limit of
opened filehandles and keepalived was unable to open netlink
socket (it is opened on every call to the ipvs_talk).
Now the check is not marked as OK unless IPVS reflector reports
OK. Following successfull check will try to add an RS again.
The special case errors "ENOENT on remove" and "EEXIST on add"
are treated with OK result code.
* ipvs: remove unused resulting error code.
These functions are turned from int into void:
ipvs_group_sync_entry, ipvs_group_remove_entry, ipvs_syncd_cmd.
* check_http: reduce cpu usage.
do MD5 calculation only when configured to do so.
* timer: reduce cpu usage.
timer_cmp is called too often and eats much of cpu cycles. Make
the comparison more effective. Increase code re-using in
monotonic_gettimeofday(). Use timer_reset_lazy() where possible
to omit the excess memset() call.
* scheduler: reduce CPU usage.
Since threads are sorted by t->sands, we could break the cycle
when not expired thread found.
* ipvs: rs weight changes properly on reload.
Do not remove and re-add a real_server when reloading config
if its weight has changed. Just edit the existing ipvs rs entry.
* ipvs: new service option "ip_family".
This option explicitly specifies the address family of a
fwmark IPVS service entry. Previously it was determined by
the AF of the first real server. This logic is kept as a fallback
when the "ip_family" option is missing.
Also, now it is possible to create two different services
for v4 and v6 with the same fwmark number.
* make 'smtp_server' config to support domain name.
* use getaddrinfo() instread of gethostbyname().
* make 'smtp_server' config to support domain name.
* Added vrrp 'timeout' to synopsis.
* Cleaned/fixed up KEEPALIVED-MIB, it now passes smilint
* Fixed vrrp_snmp_route() - it was returning the address of the pointer
instead of the IP address / network address for dst, gw, gw2, and src
* SNMP fixes/cleanup.
* Added support for static and virtual ip rules for use with policy
based routing
* Add info to set a default gateway into man and sample.
* vrrp: Fix socket setup code for IPv4 multicast.
if_setsockopt_mcast_if was only doing anything for IPv6 interfaces.
Make it work also for IPv4 interfaces, and then don't need to
call if_setsockopt_bindtodevice for multicast.
Is it still necessary to call it for unicast?
* vrrp: Set (and restore) interface parameters.
In order to receive and send multicasts on the correct interfaces
various parameters need to be set via the /proc/sys/net/ipv4/conf
interface. This patch sets them as needed, and restores any
changes on the underlying interface on exit.
If a user currently sets any parameters by scripts, that will
override these changes and still work, but this change in general
will make it unnecessary to change any parameters with scripts.
* vrrp: Leave VRRP multicast group by ifindex.
Since we know the interface index, use that instead of the address
since it is more efficient. Also, in the unlikely event that the
interface doesn't have an address, then this avoids a problem.
* vrrp: Don't delete vmac interfaces before dropping multicast membership.
Further to commit afea07bd94384c8ac8125e8cdbfd18bc4a46b14e, the
dropping multicast memberships were failing, since the vmac
interfaces had already been deleted. This patch keeps the vmac
interfaces until after the IP_DROP_MEMBERSHIP ioctls. Separating
the sending of the VRRP priority 0 messages from the shutdown
of the vrrp instances is necessary since vrrp_dispatcher_release
closes the sockets that are needed for sending the messages.
* vrrp: Don't open vrrp_send_socket if address family is wrong.
open_vrrp_send_socket was opening a socket, and then checking that
the address family was valid. Checking that the address family is
valid at the beginning of the function streamlines the code.
* vrrp: Stop m'cast packets being queued (and not received) on send socket.
If there are other vrrp instances on the same network, their
multicast packets are queued to our vrrp send socket, but since we
don't receive on that socket, the messages just get queued in the
kernel (run netstat -anp | grep keepalived to see the queued
packets increasing).
This patch clears the IP_MULTICAST_ALL option, to stop these
packets being queued.
* vrrp: Fix typos in log messages.
* vrrp: Fix RFC reference.
* vrrp: Fix vrrp parser error message.
* vrrp: Add interface index to vrrp dump data.
* vrrp: Don't specify source address in IP_ADD_MEMBERSHIP ioctl.
If ifindex is specified, any source address given is ignored.
* vrrp: If fail to remove vmac i/f, don't report success after fail message.
* Help vim's formatting to work in configure.in.
The single "'" in a comment confuses vim, and the screen formatting
gets confused. Adding a second "'" in a C comment sorts vim out.
* vrrp: Don't explicitly drop IGMP membership before interface deletion.
The kernel will send IGMP leave group messages when an interface
is deleted, so there is no need for us to do so. Experimentation
has shown that explicity doing IGMP_DROP_MEMBERSHIP doesn't make
it any more likely the IGMP leave group messages will be sent.
Adding the 1 second sleep significantly increases the likelihood
of the IGMP messages being sent, but is doesn't guarantee it.
Extending the sleep time doesn't improve the chances.
* Fix compiler warnings.
* vrrp: Add info to set a default gateway into man and sample.
* vrrp: Don't report error on interface creation/deletion.
netlink_reflect_filter was returning an error if it didn't already
know about an interface that has just been created. If we don't
know about the interface, simply ignore it. Likewise on interface
deletion, if we don't know about the interface, ignore it.
* vrrp: Ensure the first interface's parameters are set when using libnl3.
Patch 60217b63242bee37b1c97a04644be6eb5e18b4c4 sets the interface
parameters for each interface, but when using libnl3 there was a
conflict with libnl, causing the parameters not to be set for the
first interface. This patch makes vrrp_netlink.c use libnl3 if it
is available, to avoid the conflict.
* vrrp: Fix interface parameter setting with libnl3 and error message on
interface creation/deletion
* vrrp: Allow gratuitious ARP parameters to be configured globally.
It is likely that the gratuitions ARP parameters will want to be
the same for all interfaces, so allow the defaults to be set
globally. Also allow vrrp_garp_delay to be set to 0 to indicate not to
send further garp messages after a delay (to emulate how the
kernel sends gratuitous ARPs).
* ipvs: Remove nat_mask configuration parameter.
nat_mask was only valid with 2.2 kernel, and the implementation of
it was removed in patch d51194f... but some of the configuration
code remained. This patch removes all remaining code relating to
nat_mask.
* Update man pages. keepalived.conf.5 is updated to include all
configuration parameters, and keepalived.8 is updated to document the
signals that can be used with keepalived.
* Remove remaining 2.2 kernel code.
* vrrp: Allow specification of default VRRP version to use.
Rather than have to specify using VRRP version 3 on each VRRP
instance, allow global configuration to set the default version.
* vrrp: Remove use of deprecated nl_join_groups().
The use of nl_join_groups was introduced in commit 84cf733.. in
order to resolve quickly a problem introduced in an earlier patch.
This patch follows the approach adopted by libnl3, which uses a
list of groups, rather than a bitmap which is limited to 32 groups.
* Documentation updates, removal of redundant code, global config.
* vrrp: set router flag in neighbour advertisements.
This is necessary in order to prevent the IPv6 stack on a node that
receives the unsolicited and overriding neighbour advertisement for the
VIP (that gets sent automatically when Keepalived transitions to MASTER
state) from immediately removing the VIP from its list of default
routers. See https://bugs.launchpad.net/bugs/1520517 for an example of
the problems this can cause.
Note that the approach in this patch simply unconditionally sets the
router flag. That is better than having it unconditionally unset (VRRP
stands for Virtual *Router* Redundancy Protocol, after all), but it
might not be appropriate whenever VRRP is used to fail over addresses
that are used for other tasks than being routers. Thus it might be
better to read in the interface's "forwarding" sysctl and set the router
flag accordingly, or making the value of the router flag configurable in
keepalived.conf.
* vrrp: Dynamic addition of interfaces from netlink msg.
When a tracked interface is deleted then recreated with the same config
VRRP groups tracking this interface will remain down. This is due to
tracking of stale information.
This patch listens for netlink messages for the creation of interfaces
and does one of two things.
i) If the interface doesn't exist in the vrrp interface list a new
interface structure is created and the information from the message is
used to fill the structure. This new interface is then added to the
interface queue.
ii) If the interface already exists in the queue we zero it and then
use the information in the message to fill the structure.
* branch to fix empty RS list issue.
* a fix for services with no RS.
* check: segfault when there is no real server for a virtual server.
* vrrp: Stop memory leak rename function for convention.
Renamed netlink_populate_intf_struct to netlink_if_link_populate to fit
with file naming scheme.
It was possible that a created ifp structure would not be cleaned up if
netlink_if_link_populate returned a -1, fixed this so the structure is
FREEd.
* Make parent process handle and propagate USR1/2 signals.
In order to be able to automate writing configuration and/or stats
the signals USR1 and USR2 need to be able to be sent to the parent
process since its pid can be read from /var/run/keepalived.pid.
The parent then needs to propagate these signals to a vrrp child.
* Ignore all signals except those explicitly wanted.
In order to harden keepalived against a user accidentally sending
a wrong signal to keepalived, set all signals other than those we
want actioned to be ignored.
* Remove potential race condition when setting signal handlers.
There was the potential for signal_run_callback to be invoked
after calling sigaction for a signal, prior to the internal signal
handler signal_SIG***_handler and signal_SIG***_v variables being
set up. To remove the race condition, when setting a signal handler
block the signal until the internal handlers have been fully set up.
* Make signal_ignore mean ignore.
signal_ignore was setting a signal handler for the signal, but
then itaking no action when the signal was received. This is now
changed so the signal is actually set to be ignored.
* Streamline signal handling code.
There was some duplication of the code for signal handling, and
this slight restructuring avoids the duplication and makes it
simpler.
* vrrp: Invoke notify scripts with the default signal disposition.
It is reasonable for notify scripts to expect to be invoked with
the standard signal disposition, so when first setting up signal
dispositions, remember the original state so it can be restored
before the notify scripts are exec'd.
* Return address of previous signal handler according to SA_SIGINFO.
The man page for sigaction(2) states that SA_SIGINFO is only
meaningful when establishing a signal handler. This appears not
to be the case, since the flag will be set in the oldact structure
on return from sigaction if the previous signal handler was
established using the SA_SIGINFO flag.
* Invoke all scripts with the default signal disposition.
Just as the change for notify scripts, it should apply to other
scripts as well.
* vrrp: Don't wait on script process being killed after timeout.
The child_timout_thread functions send a SIGKILL to a child
process that has timed out and didn't die quickly enough
after sending a SIGTERM. They then wait on the process dying.
The main problem is that if the waitpid is successful here, then
waitpid in thread_child_handler will never be successful for the
same pid, and so the entry on the child list will never be removed
and the parent thread will not be marked as ready.
There is also a theoretical possibility that the child process is
unkillable, and so the waitpid would hang forever.
* Set thread conditions before adding to list.
It seems safer to set the status and type of a thread before
adding it to the ready list.
* Remove some code duplication re running scripts.
misc_check_thread and vrrp_script_thread were virtually identical
so move duplicate code into new function system_call_script in
notify.c.
* Fix formating of man page.
* Set standard signal disposition before invoking ip(6)tables.
Call signal_handler_notify before running iptables/ip6tables.
Since it is now called for more than notify scripts, rename
signal_handler_notify to signal_handler_script
* Move common code for opening fd 0/1/2 into a function.
The code for setting fd 0/1/2 to /dev/null before running a script
was in several places. All the common code is moved into a function
and the function called from the relevant places.
It is only necessary to reopen fd 0/1/2 if keepalived is running
with the --dont-fork option, since without that option the fds are
already open on /dev/null.
* Optimise closure of fds before invoking scripts.
Every time before a script was invoked, closeall() was called,
which would spin through 1024 file descriptors closing them, even
though the vast majority were not open, resulting in 1024 system
calls. To avoid that, open all sockets and file descriptors
(except fd 0/1/2) with the CLOEXEC flag set, so that the fds will
be closed by the kernel when the script is exec'd.
* Simplify some IPv4/IPv6 code.
Code blocks were (unnecessarily) repeated in functions which
handled both IPv4 and IPv6 situations.
* Fix reloading and invoking notify scripts.
* Update vrrp_scheduler.c.
* Converted pdf user guide to RST with Sphinx.
* Added check for libnfnetlink header during the configure step.
* In free_list_elements invoke the free function if it exists.
* Use of LIST_ISEMPTY to check list exists causes memory leak.
* Stop parse_ipaddress FREEing via pointer passed to it.
parse_ipaddress FREE'd new following an error, but new could be an
address passed to the function, and therefore might not be MALLOC'd
memory. This commit makes the caller of parse_ipaddress free the
memory if there is an error and the calling function MALLOC'd the
memory.
* vrrp: Add vrrp_iptables global configuration option.
The iptables/ip6tables entries were always added at the end of the
INPUT chain, but for many configurations this is too late in the
processing. This patch allows the chain name to which rules are
added to be specified, and also allows the option of specifying
no rules are to be added.
If a chain name is specifed, it is necessary for that chain to
already exist in the iptables and/or ip6tables config, and for
that chain to be called from an appropriate point in the
ip(6)tables configuration.
* vrrp: Add option to block outbound traffic from VIPs.
Unwanted traffic to VIPs is discarded by ip(6)tables. This adds
an option to also block outgoing traffic from VIPs.
* vrrp: Add iptables blocks for E-VIPs just like VIPs.
* vrrp: Allow unicast IPv6 Neighbour Solicits to be received.
An ip6tables rule is added to allow IPv6 NAs to be received, but
we also need to be able to receive NSs to respond to neighbours
attempting to verify our reachability.
* vrrp: Use correct MAC address for IPv6 VRRP packets.
The IPv6 VRRP packets were using the MAC address of the underlying
interface, rather than the MAC address of the vmac. This commit sets
the correct MAC address for IPv6, and also adds the link-local address
of the underlying interface to the vmac interface, so that VRRP
packets can be sent from the vmac interface, thereby using the VRRP
MAC address.
* vrrp: Disable IPv6 on IPv4 VRRP VMAC interfaces.
If IPv6 is not disabled on VMAC interfaces, an IPv6 link local
address is generated based on the virtual MAC address. This is not
only contrary to RFC 5798 para 7.4, but also causes duplicate
address detection failure. The address also just isn't needed!
* vrrp: Fix setting nlmsg_len for netlink messages.
For netlink messages, nlmsg_len must always be set to an aligned
length. Prior to this commit, nlmsg_len was only being aligned when
a subsequent attribute was added to the list. This was fine if the
length of the last attribute added was an aligned length (which had
always the case), but didn't work if the last attribute added didn't
have an aligned length.
This patch is needed in preparation for adding an attribute which
doesn't have an aligned length.
* vrrp: Stop having an IPv6 link-local address added based on VMAC mac
address.
IPv6 link-local addresses that were based on the virtual MAC address of
the VMAC interface were being added. RFC5798 para 7.4 states that this
is not permitted. It also causes duplicate address detection failure,
since each instance of the virtual router was configuring the same
IPv6 address on the same subnet.
This commit stops the offending link-local address being addied (or removes
it if it can't stop it being added), and since VRRP advertisements must
be sent with the virtual MAC address, but a link-local address for the
interface, if a link-local address from the underlying interface exists,
it is added to the VMAC interface, otherwise the MAC address of the
underlying interface is used to generate a link-local address, which is
then added.
It wasn't until Linux 3.17 that the IFLA_INET6_ADDR_GEN_MODE netlink
message was added, via which one can stop a link-local address being
automatically configured. Therefore, if IFLA_INET6_ADDR_GEN_MODE is not
supported, the only way to ensure that the problematic link-local
address is not added is to remove it after the interface is brought up.
This is not ideal, since there is a small window when the "illegal",
and possibly duplicate, link-local address exists, but I haven't
found any other way of doing it for pre 3.17 kernels.
* vrrp: Stop sending unnecessary attributes in netlink messages.
When an IPv6 virtual address was deleted, it was being reported
in the log file that preferred lifetime was being set to 0, which
is only relevant when the address is being added. This commit stops
adding the IFA_CACHEINFO attribute when deleting addresses, and
also stops adding other unnecessary attributes.
* vrrp: Allocate an IPv6 link local address to VMAC if none on real
interface.
The physical interface than a VMAC is configured on may not have an
IPv6 link local address, but we can construct one for the VMAC using
the MAC interface of the underlying interface.
* vrrp: Remove code allowing mixed IPv4/IPv6 addresses.
If addresses of both types were configured, the receiving end would
reject the packet since the count of addresses received would have been
wrong since only addresses of one family can be sent, see vrrp_in_chk:
if (hd->naddr != LIST_SIZE(vrrp->vip))
Since we don't want to send the addresses of the wrong family, add them
to the virtual_ipaddress_excluded block rather than the virtual_ipaddress
block.
* vrrp: Only set router flag in Neighbour Advertisements if forwarding.
* vrrp: Enforce maximum number of vips per virtual router.
If there were more than one virtual_address blocks in a
virtual_router block, one could add as many virtual addresses as
one wanted, since it didn't check the number already read.
* vrrp: Don't ignore excess virtual_address entries.
If there are too many virtual_address entries, add them to the
excluded block, but still give a warning message.
* vrrp: Verify VRRP configuration after all configuration read.
There was a lot of duplicated checking in vrrp_parser.c to ensure that
configured parameters were consistent, and also a requirement to configure
certain parameters before others. This checking was incomplete, and also
becoming more and more complex as more configuration options were added.
This commit delays a large part of the checking until after all the
configuration has been read. This removes the need for options to be
specified in a certain order and also for checking in multiple places
whether certain combinations are valid.
As a consequence of the delay in checking the configuration, the creation
of the VMAC interfaces is delayed until after the checking.
* vrrp: Accept is only valid for VRRPv3
* vrrp: Verify priority and init_state consistent.
* vrrp: Verify password specified for authentication.
* vrrp: Verify have an ip address for interface.
* vrrp: xmit_base is only valid on a VMAC.
* vrrp: Ensure at least one VIP is configured on a VRRP instance.
This commit requires at least one VIP to be configured on a
vrrp_instance. Although the code looked as though it was designed to
allow 0 VIPs, not only was that a protocol violation, but also keepalived
rejected any VRRPv3 packets received without any VIPs, and also any VRRPv2
with IPv6 due to the check in vrrp_in_chk() in vrrp.c.
* vrrp: Generate unique default VMAC interface names.
Since the virtual router ID can be duplicated both between IPv4 and IPv6,
and also between different interfaces, the approach of setting a default
interface name as vrrp.VRID could produce duplicate names.
This commit now attempts to use vrrp.VRID, but if that already exists,
then it will try vrrpN.VRID, where N starts from 1 and increases until an
unused name is found (for IPv6 it tries vrrp6.VRID before vrrp1.VRID).
* vrrp: Ensure necessary uniqueness of VRIDs.
VRIDs must be unique for a given address family and interface.
This commit ensures that there is no duplication of VRID/address family
on any interface.
* vrrp: Don't assign VIPs/eVIPs to the default interface.
alloc_ipaddress was always setting the interface to DLFT_INT (eth0) if no
dev DEVNAME was specified to a VIP/eVIP/static address. This is fine for a
static address, but doesn't make sense for a VIP or eVIP, since they should
be assigned to the vrrp_instance interface, unless explicitly configured
otherwise.
In fact, it probably doesn't make sense to specify dev DEVNAME for a
VIP/eVIP, since the addresses must be assigned to the vrrp_instance
interface.
* If a configuration error occurs between {}, skip to end.
If a configuration error occurred in a block, the parser could get confused.
This commit makes the parser ignore ignore all further entries until the end
of the block.
* Don't allow specification of default as an address where inappropriate.
The function parse_ipaddress would allow default or default6 to be
specified for any address it parsed, but it doesn't makes sense in a
lot of cases, so add a parameter to indicate if default is valid.
* Improve checking of configured advertisement timer.
* vrrp: Make sure that a VRRP instance has a name and is unique.
It was possible to specify a vrrp_instance without a name. It was also
possible to specify the same vrrp instance name twice.
* Extra validation for reading ip addresses.
* vrrp: Ensure a sync group has a name and hasn't already been specified.
* vrrp: VRRP authentication is dependent on VRRPv2 not IPv4.
The check for whether authentication is not dependant on IPv4, but rather
VRRPv2. This check will be conducted following reading the whole configuration.
* vrrp: Log error if unknown authentication type.
* Check for, and handle, '{' at beginning of a block.
There was no check for a '{' at the beginning of a configuration block.
This commit is the start of that check, allowing it either at the end
of the line with the keyword, or on a line of its own.
Also, in respect of group and notification_email, for all other configuration
items, the '{' could follow on a line of its own, but for configuration
items using read_value_block the '{' on a line following the keyword
was read as a configuration entry.
* Check for, and report, unknown keywords.
A misspelt keyword would have been silently ignored, potentially causing
the user difficulty in understanding why his configuration wasn't working.
* If an address fails to parse, ensure don't return an apparent address.
When reading an address, the address family was set early on, and a
subsequent failure to parse the address left the address family configured,
thereby making it appear that a valid address had been read. Simply set the
address family to AF_UNSPEC on a failure.
* Ensure an address option has a value.
There was no check that the parameter was present after a keyword, so for
example : 1.2.3.4 dev
would not have generated an error message, and alloc_ipaddress would have
attempted to read a word after dev, which would either cause a dore dump
or possibly return a parameter from a previous configuration line.
This type of checking probably needs to be added elsewhere too.
* Add validation of address scope.
* vrrp: Don't allow group block more than once in a sync group.
If a second group is configured, the first group is lost, and its
malloc'd memory is also lost.
* vrrp: Make sure sync groups have at least two members.
If a sync group was configured with no group {} statement, or if
the group statement had no entries, then keepalived would core dump.
This commit rejects groups with 0 members, and also with 1 member,
since it isn't a group. It also checks that a virtual_instance isn't
configured in more than one sync group, and also that the group
members specified exist.
* The address must be the first record in an address configuration item.
When an address is configured, it must be the first entry on the line.
This allows options specified afterwards to know the address family,
and also when reporting errors to include the address.
* vrrp: Log error if IPv6 and first address is not link local.
RFC5798 section 5.2.9 requires that if the protocol is IPv6, then
the first address must be the link local address of the virtual
router.
* vrrp: Ensure that the full VRRP packet has been received in the buffer.
Although afer receiving a VRRP packet, it checked that the length
specified in the IP header was long enough to contain all the VRRP data,
it didn't check that the data actually received was sufficiently long,
so this check is added.
* vrrp: Stop VIPs in same CIDR being deleted, but only when using vmac
so far.
If an interface has more than one IP address in the same CIDR, when
the "primary" address is deleted, all the secondary addresses are
also deleted, unless /proc/sys/net/ipv4/conf/IFACE/promote_secondaries
is 1. This commit sets the promote_secondaries flag on vmacs.
* vrrp: Make from and to for VRRP iprules use a define.
"From" and "To" were being stored as words rather than converted to
defined value. This made storage requirements larger and processing
them more time consuming.
* Don't report configuration bytes used if not _DEBUG_.
If _DEBUG_ is not defined, malloc was increasing the count of memory
allocated when called, but free wasn't reducing the count, and so the
figure reported was meaningless.
This commit completely disables the memory allocated counting and
reporting if _DEBUG_ is not defined.
* vrrp: Use defines for address scopes.
Rather than hard coded values for address scopes, use RT_SCOPE_*
* Force order of multiplication and division to avoid underflow.
* Clear list pointer after freeing list.
* Fix handling of active in vectors. active wasn't being consistently
updated or reported for vectors.
* Make functions always returning 0 void.
Three functions in utils.c always returned 0, and the calling
functions weren't checking the return code, since it was pointless,
so the functions have been changed to be of type void.
* Use struct in_addr rather than uint32_t for IPv4 address.
* vrrp: Disable all VMAC configuration code if don't have VMACs.
* Allow multiple spaces in quoted strings.
The handling of quoted strings saved each word separated between
tokens of '"'. This meant reconstructing a quoted string lost multiple
spaces and was hard work.
Quoted strings are now saved as the whole quoted string, without the
quotes, so retrieval is much simpler. This also allows further keywords
to follow the quoted string, if desired.
* vrrp: Remove string length dependencies in vrrp_print.
* vrrp: Stop using deprecated bcopy.
* vrrp: Add vrrp_instance name to some log messages.
* Optimise returning from list_element() when end of list reached.
* Make free_melement a static function.
* Use INET6_ADDRSTRLEN rather than hardcoded length.
* Don't format log message if not going to log it.
* vrrp: Add option to reduce vrrp advert address checking.
By default, every received VRRP advertisement checks the advertised
addresses are the same as the configured addresses, which is o(n^2).
This change adds the option to check the first packet received from
a master, but not to check the VIP list in subsequent adverts from
the same master.
* vrrp: Ensure vrrp_buffer large enough for largest possible received
packet.
The allocated receive buffer had size VRRP_PACKET_TEMP_LEN, which
suggests that it wasn't intended as the final solution.
Instead of using a fixed buffer size, the maximum MTU across all the
interfaces is calculated, and the size of the vrrp_buffer allocated
is the maximum MTU size. This guarantees that any VRRP packet received
will fit in the buffer.
* vrrp: Improved received VRRP packet checking.
First check the protocol headers have been received, then before
checking the overall length of the received data, check the data in
the protocol headers, since this will allow more meaningful errors
to be reported. For example if there was a mismatch between VRRP
versions with IPv4, a length error was being reported, rather than
the version mismatch.
All the error messages in VRRP packet checking now include VRRP
instance name, to help tracking down where the error lies.
* vrrp: Remove fixed limit number of VIPs in a VRRP advert.
There was an arbirtary limit of VRRP_MAX_VIP (20) VIPs for sending
a VRRP advert. Now that the vrrp_buffer is sized to be able to
receive any packet up to the largest MTU size, we can dynamically
allow as many VIPs as will fit in a packet (which varies depending
on IPv4 or IPv6).
There is also an overhead checking the received addresses in an
advert against the VIPs configure on the instance, but this can now
be mitigated by setting skip_chk_adv_addr on the VRRP instance.
* vrrp: Fix printing of vrrp tracking scripts.
* vrrp: Print Last transition time in human readable form.
* Disable assert statements unless _DEBUG_ is defined.
* Streamline free_list_element
* Remove duplication of code between free_list and free_list_elements.
* vrrp: Add vrrp strict mode, enforcing VRRP compliance.
The commit doesn't yet implement strict mode, but it will block
0 VIPs, unicast peers, IPV6 in VRRPv2.
* vrrp: Add some strict tests.
In strict mode, the following are enforced:
IPv6 required VRRPv3
There must be at least one VIP per VR instance
No unicast peers
Must be address owner to start in MASTER mode
* vrrp: Don't allow AH authentication with IPv6 and VRRPv2.
Of course, the RFCs don't allow IPv6 in VRRPv2, but it is an
extension supported by keepalived.
* vrrp: Some minor ipsecah updates.
* vrrp: Clearly identify that VRRP has subblocks of VRRP scripts.
The keepalived.conf.5 man page wasn't explicit that there are VRRP script
subblocks as part of the VRRP configuration, and this is now explicit.
* Trivial edits to man page keepalived.conf(5).
* man page remove static_rules configuration from vrrp_instance.
keepalived.conf.5 man page had an entry for static_rules within the
vrrp_instance blocks, and this is clearly wrong.
* vrrp: Fix typo in error message when sending VRRP advert.
* vrrp: Add option not to include vrrp authentication code.
RFC3768 updated VRRPv2 to remove authentication in 2004. This commit
adds a configure time option to exclude authentication code.
* vrrp: When adding ip(6)tables entries, only specify i/f for link_local
addresses.
Packets to/from global address could arrive or be sent on any interface,
so don't specify the interface for blocking the packets. For link local
addresses, the block must relate to the specific interface.
* vrrp: Add ability to use libiptc rather than invoking ip(6)tables.
Invoking ip(6)tables has a high overhead, since the process has to be
forked and exec'd, and then it has to read the whole ip(6)tables
filter chain before it makes a single update and commits it back.
Using libiptc avoids the overhead of multiple forks/execs, and also
means that multiple entries can be added/deleted to/from the ip(6)tables
configuration in a single update.
* vrrp: Add option to use ipsets instead of iptables to block addresses.
Instead of having lists of addresses in iptables, it is much more
efficient to use ipsets to handle those addresses, since that is
what it is designed for.
* Use /proc/sys/kernel/modprobe to find modprobe.
* Reinstate SIGCHLD before forking to exec modprobe for ip_vs.
The fork of modprobe to load ip_vs would have reported a failure
even though it would have succeeded.
* Reinstate SIGCHLD before forking to exec modprobe for ip_vs.
The fork of modprobe to load ip_vs would have reported a failure
even though it would have succeeded.
* Fix forking/execing re closing signal pipe.
When calling scripts, we don't want to give them access to the signal
pipe used between the parent process and the vrrp process.
* vrrp: Fix compile error when net/if.h and netlink/route/link.h conflict.
Some versions of libnl3 netlink/route/link.h conflict with some
versions of kernel header file net/if.h. This commit has a
workaround for when there is a conflict.
* vrrp: Fix compile failure with old kernels and libnl3.
Issue #215 identified a compile error with pre 3.13 kernels when
libnl3 was installed. This commit adds a test for that situation
and avoids using rtnl_link_inet_[sg]et_conf.
I haven't been able to test this on a re 3.13 kernel, but I have
simulated the scenario and it compiles as expected.
* vrrp: Fix compilation when ipsets not installed.
* vrrp: Fix build breakage when not using libiptc.
* vrrp: Fix VRRP respawning when no VIPs specified.
Commit b46dec58fa failed to check the the VIP list existed before
checking how many entries were in the list.
This commit also defaults the address family to IPv4 if no VIPs are
specified.
* vrrp: Make dependency on libnfnetlink/libnfnetlink.h conditional.
* Streamline handling of daemon mode flags.
* Improve handling of not being able to read a pid file.
If a pid file was opened, but for some reason a pid could not
successfully be read, the pid used to check if a process was
running was random.
* Remove unused pid filename definitions.
* Change outstanding debug flag tests to use bitops helpers.
* Allow for different sizes of long ints in bitops.
* vrrp: Ensure conversions of vrrp->adver_int etc don't overflow.
* Use bitops with daemon_mode.
* vrrp: Fix ip_rule direction for SNMP.
Commit 2da11f99 introduced defines for ip_rule directions rather
than using strings, but the commit omitted to update the snmp code
when processing the directions.
* add a line about the 'include' keyword in keepalived.conf(5).
* fix HTTP_GET config dump. The config dumper routine
dump_http_get_check was always printing the last configured checker's
connection info.
* dump_conn_opts: prototype change.
pass the conn_opts_t pointer as a void* parameter to make the
function prototype a valid dump callbac This makes smtp_dump_host()
function needless, it is removed.
* fix build issues on older systems.
Try to avoid the build error on systems which lack of
O_CLOEXEC and IP_MULTICAST_ALL defines (such as Ubuntu lucid and
Debian squeeze).
* Fix compilation with --disable-vrrp-auth
* vrrp: Remove state VRRP_STATE_LEAVE_MASTER since it isn't used.
* vrrp: Fix VRRPv2 authentication issues.
* Don't redefine _GNU_SOURCE.
* vrrp: Exclude function vrrp_ah_sync when --disable_vrrp_auth.
* Fix some conditional compilation errors.
* Streamline getopt_long options.
* Remove '\n's from log messages.
* Ensure standard configure generated defines are used.
The defines used in the compiles in the various subdirectories were
specified in each Makefile.in which could lead to inconsistencies.
This commit defines APP_DEFS in configure.in, which is then used
in each Makefile.in.
* Dump keywords to file rather than stdout.
* Add copyright message and build options to version output.
This commit also ensures that the end year of the copyright date
range is the current year when keepalived was built.
* Stop erroneously logging error message for unknown keywords.
When vrrp_parser parsed the configuration file, it didn't know
about the checker keywords, and vice versa, and so reported errors.
This commits makes the other keywords known but marked as inactive.
* vrrp: Fix SNMP trap NewMaster.
The trap must only be triggered for IPv4, since RFC2787 doesn't
understand IPv6. Also, RFC2787 only supports VRRPv2 instances,
so don't raise the trap for VRRPv3 instances.
The IP address returned must be the actual IPv4 address, and not
the ip_address_t that holds the address.
* vrrp: Use underlying interface for ifindex in NewMaster traps for vmacs.
If the VMAC ifindex is returned, then there is no indication that
multiple VRRP instances are operating on the same physical interface,
so return the ifindex of the underlying interface. This will also
mean that the same ifindex should be maintained between different
invocations of keepalived.
* vrrp: Move SNMP private defines into vrrp_snmp.c/check_snmp.c.
The defines for the net-snmp "magic" were in the header files
which were included by other modules. The defines are private to
the c source file, so move the defines into them, to avoid polution
compilation units which included vrrp_snmp.h/check_snmp.h.
* Use definition for 1.3.6.1.2.1.
* vrrp: Start SNMP after reading configuration.
If SNMP is started before the configuration is read, a meaningless
response will be returned to net-snmp, so don't start the snmp agent
until after all the config has been read.
* vrrp: Fix setting SNMPv2-MIB::sysORID entries in ORTable.
The length of the OID passed to register_sysORTable was wrong.
* vrrp: Allow SNMP agent to unregister cleanly with more than one MIB.
Separate snmp_unregister_mib() out from snmp_agent_close() to allow
multiple MIBs to be unregistered before the snmp agent is closed.
* vrrp: Don't register the global_oid with SNMP twice.
If SNMP is enabled, both the checker process and the vrrp process
were registering the global_oid. This commit makes the checker
process register it if it is running, otherwise the vrrp
thread registers it.
* vrrp: Add read-only support for RFC2787 SNMP (VRRPv2).
* vrrp: Allow any combination of keepalived and RFC SNMP support.
* Allow enabling snmp via config file.
* ipvs: sctp ad persistent engine support.
* Fix building with --disable-lvs
* Stop autoconf complaining.
* vrrp: Use defined value for maximum VRRP priority.
* vrrp: Simplify scheduler code vrrp_leave_fault().
Two pairs of code blocks were repeated, and each pair could be
reduced to occuring only once if the conditions were merged.
* vrrp: If VRRP priority is 255 and not nopreempt, configure like state
MASTER.
* vrrp: Ensure number of VIPs doesn't exceed 255 per instance.
* vrrp: Don't check second time if IFLA_IFNAME is NULL.
* Dump interface details with rest of config.
* vrrp: When becoming master, block addresses before adding them.
If not accept mode, entries are added to iptables/ipsets to block
traffic to the VIPs/eVIPS. These entries should be added BEFORE the
addresses themselves are added, to ensure there isn't a (small)
window when we might reply from the added addresses.
* vrrp: Document virtual_rules.
* Fix memory leak re some uses of ipaddresstos().
* Fix parsing ipset names.
* vrrp: Improve and fix finding vmacs left over from previous invocation.
When netlink reports a new or existing interface, we can extract
information that allows us to determine if the interface is a macvlan,
and the type (e.g. private). We can then save that in the interface_t
structure, setting the vlan flag, and base ifindex.
When working out the interface name to use for VMAC instances, we can
then check the interfaces which are macvlans to see if any of them
match the vrrp instance in terms of mac address, underlying interface
and inet address family, and if so we can then reuse the macvlan interface.
Commit 9ae463e7f broke the finding of existing interfaces where the
configuration didn't specify the VMAC interface name, and simply created
a new interface. This commits now resolves that.
There is still an issue that if an interface was in MASTER mode when
keepalived terminated, when keepalived restarts it leaves the VIPs and
eVIPS on the interfaces, meaning that keepalived cannot receive VRRP
packets on the interface from the VRRP instance that has taken over, and
it also means that there are duplicate IP addresses on the network.
Another commit will resolve this issue.
* vrrp: Remove ip addresses left over from previous failure.
If keepalived terminates unexpectedly, for any instances for which
it was master, it leaves ip addresses configured on the interfaces.
When keepalived restarts, if it starts in backup mode, the addresses
must be removed. In addition, any iptables/ipsets entries added for
!accept_mode must also be removed, in order to avoid multiple entries
being created in iptables.
This commit removes any addresses and iptables/ipsets configuration
for any interfaces that exist when iptables starts up. If keepalived
shut down cleanly, that will only be for non-vmac interfaces, but if
it terminated unexpectedly, it can also be for any left-over vmacs.
* Sort out extraneous space and tab characters.
The commit removes spaces followed by tabs, trailing spaces and tabs,
and replaces occurrences of 8 spaces within tabs, except where the
spaces and or tabs occur within strings.
This has the benefit that if blocks of code are copied, git does not
complain when running git am on a file produced by git format-patch.
* vrrp: Simplify RFC SNMP code.
The code was checking VRRP version unnecessarily, and also had code
to return an index element which is not necessary.
* vrrp: Don't send traps for SNMP MIBS which are not enabled.
* vrrp: Don't register SNMP global OID if not handling it.
If neither the checker nor the vrrp components of KEEPALIVED-MIB
are enabled, don't register the global OID.
* Parameters passed to traps don't need to be static.
* Fix --without-lvs and --without-vrrp configure options.
* Ensure general MIB is enabled if --disable-lvs configured
* Avoid compiler warning re function definition to prototype.
* Add RFC6527 SNMP (VRRPv3).
This commit adds read-only and notifiction support for SNMP for VRRPv3
in accordance with RFC6527.
* vrrp: Fix MAC address for IPv4 VMACs created after IPv6 VMACs.
* vrrp: Allow routes and rules to use tables >= 256
* Don't recompile libipvs-2.6/*.c every build.
* vrrp: Remove left over ip rules and routes at startup.
* vrrp: Ensure ip routes added before rules, and vice versa.
If ip rules are added before routes, then it is possible for a
packet to be routed while the routing table is only partially
complete. Adding the rule after the routes ensures that the routing
table won't be processed until it is completely set up.
Likewise, when removing rules and routes, remove the rules first.
* vrrp: Add missing reason message for rejected VRRP packet.
Issue #255 show a log identifying bogus VRRP received, but there
was no reason shown for the rejection. The only instance I can find
for this is if vrr->family is neither AF_INET or AF_INET6, which I
think must be a bug in the code parsing and setting up VRRP instances.
This commit just adds a log message to be explicit about why the packet
is rejected, and also reports the value of vrrp->family.
* Reduce number of calls to getaddrinfo() reducing DNS lookups.
* Report if vrrp or checker process abnormally terminates.
* Add option to increase child process priorities and make non swappable.
* Make vrrp_daemon.c and check_daemon.c use header file for externs.
* Add reporting ops mode, and minor tidying up of virtual_server config.
* vrrp: Don't overwrite real interface MAC address with VMAC MAC address.
When a VMAC was being created, the MAC address of the VMAC was
being copied to the MAC address of the underlying interface in the
interface_t structure.
The netlink reflector sets up the MAC address of the new VMAC
interface, so there is no need to copy a MAC address at all.
* vrrp: Stop keepalived_vrrp terminating with SIGSEGV if lvs_syncd_if set.
ipvs_stop() was being called before shutdown_vrrp_instances(), and
so if lvs_syncd_if had been specified on a vrrp instance, keepalived
would subsequently terminate with a SIGSEGV in free_interface_queue().
* Make lvs_sync_daemon global config rather than vrrp specific.
* Stop lvs sync daemons on restart in case of prior abnormal termination.
* Remove any residual ipvs configuration on restart.
* vrrp: Optimise clear_diff_vrrp_*() functions.
* Check MALLOC returned non NULL before copying to the location.
* Allxoow specifying syncid for lvs syncd.
* vrrp: Send second set of GARP messages afer receiving lower prio advert.
When a VRRP instance transitions to master state, if garp_master_delay
is non-zero, a second set of garp_master_repeat messages is sent after
garp_master_delay seconds (unless 0). However, if a lower priority advert
is received, keepalived didn't send a second set. This commit sends a
second set if a second set would have been sent after transition to master.
* vrrp: Allow setting of graduitius ARP parameters for lower prio adv
separately.
* Don't log a "keepalived stopped" message if keepalived already running.
* vrrp: Add support for iprule and iproute table names.
* Resolve MALLOC/FREE issues to iprule/iproute table names.
* Make keepalived_malloc return void* to match malloc.
* When reporting MALLOC/FREE status on exit, report max MALLOC'd memory.
* Make libipvs use MALLOC/FREE.
* Don't restore original signal state when reloading checker config.
* Ensure signals USR1 and USR2 are set to ignore in checker process.
* vrrp: Only free list of iprule table names if list assigned.
* vrrp: Fix strict mode of vrrp instance overriding global vrrp_strict.
* Attempt to fix build breakage introduced in commit 85f81dd.
* Fix parsing of scope for ip addresses.
* Free global ssl context on reload.
* Free request_t buffer and ssl data on reload.
* vrrp: Restore sync-state after reload.
Currently the sync state is rebuilt from the member states after
config reload. This changes now reloads the previous sync state
after reload, and then pushes this back to the group members. If a
new group member is added during the reload, then the new group
will accept the sync group state. If a group member is removed
during a reload, then a special case will be executed to force
the sync-group state to BACKUP. This is required so that an
alternative backup peer for the removed group is given an
opportunity to take over the gateway.
2015-07-07 Alexandre Cassen <[email protected]>
* keepalived-1.2.19 released.
* vrrp: fix checksum computation in vrrp v2 for socket family AF_INET
One of difference between VRRPv2 and VRRPv3 is the way checksum is
computed. In VRRPv2 no accumulation is specified in RFC while in VRRPv3
it uses regular accumulator with upper pseudo header. This fix restore
compliant VRRPv2 for AF_INET vrrp instance. Since IPv6 socket are using
IPV6_CHECKSUM option this means that checksum for VRRPv6 instance runing
in native_ipv6 mode are broken. But since this is a end to end sanity
check and both side are operating the same way this OK, no "compliant
with VRRPv3 RFC", but anyway using native IPv6 on VRRPv2 is not really
compliant too ;)
* Some cosmetics at Makefile stuff.
2015-06-30 Alexandre Cassen <[email protected]>
* keepalived-1.2.18 released.
* some cosmetics changes (in memory and parser).
* remove dead/not used code.
* revert notify script brought by last release.
* revert VRRP preemption speed up extension.
* vrrp: ix vrrp removes incorrect IPv4 address when VIPs
are removed.
* vrrp: Re-enable VRRPv2 checksum on inbound pkts.
2015-05-31 Alexandre Cassen <[email protected]>
* keepalived-1.2.17 released.
* zalloc use xalloc for consistency.
* memory: fix wrong size calculation in zfree.
* Fix keepalived snmp configuration.
* Change comments to match kernel style.
* smtp: Fix wrong algorithm in RCPT-TO building.
* vrrp: ICMPv6 : modify the way we copy the src address into the IPv6
header, in order to not overwrite the header' and the 'hop limit' fields
* vrrp: sync status flag (up/down) for _all_ VMAC interfaces.
When using VMAC and running multiple instances on the same interface,
only one of the VMAC interfaces will get its status flag synched.
This commit will update the status flag for _all_ VMAC interfaces attached
to a base interface.
* ipvs: fix segfault crash when parsing SMTP_CHECK config
* ipvs: SMTP_CHECK now respects configured RS port. Before that it always
used the default port 25.
* ipvs: config parser: handler for the end of block. new function
install_sublevel_end_handler(handler).
* ipvs: new log function vlog_message taking varg_list. log_message now
uses format gcc attribute, not the macro wrapper.
* ipvs: bug: check_smtp was logging "#30" instead of RS address do not do
nested va_start/va_end calls in smtp_final.
* ipvs: clarify snmp_check config syntax. Now host{} section is optional,
and all the standard connection options are available in the SNMP_CHECK{}
level, too. If one or many host section persist, those base-level options
are used to specify default values that can be overriden in a host section.
* vrrp: Use literal constants for bit flags Use literal constants for bit
flags of the "debug" global variable Change from using numeric constants
to literal constants for the bit flags of the "debug" global variable.
* vrrp: Backup obtains VIP resulting in a duplicate IP. VRRP backup obtains
VIP resulting in a duplicate IP situation. When a priority change to the
configuration of a Master router drops its priority to below that of a
backup router, the VIP is not released on the Master router leading to
a duplicate IP situation.
* vrrp: Make preempt_delay work more than once.
* vrrp: Changes needed to support AH auth in VMAC mode. Note according to
the RFC this is not a requirement, but we think that our customers will
expect it to work. The RFC actually discourages its use because it adds
little to no additional security. We are still able to interoperate in
RFC mode by not enabling authentication.
* vrrp: Check VRRP header in the IP auth header is correct. In the middle
of vrrp_in_chk, the existing VRRP packet parsing code does
"return vrrp_in_chk_ipsecah(vrrp, buffer);" if the VRRP version is two,
and the authentication type is IP sec authentication, to check whether
or not the IP sec authentication header is valid. However the "instant"
returns means that is the IP sec authentication header is valid, then
the remaining parts of the VRRP packet (VRRP version, VRRP checksum,
VRID, number of VIPs, advertise-interval) are not parsed or validated.
* vrrp: Add support for SNMP trap: vrrpTrapNewMaster.
* vrrp: Add skeleton code for VRRP-MIB.
* vrrp: Check existing VIF and recreate if VMACs are wrong. Although under
normal circumstances we will cleanup VIF interfaces when shutdown, there
are various scenarios were this is not the case. To make the code more
robust, keepalived now performs a check for matching VIF interfaces at
restart, and if the configuration of the VIF matches the current
keepalived configuration it will reuse the VIF. However, should the
configuration be different, keepalived will remove the existing
interface, and then recreate a new VIF interface with the appropriate
configuration. This fix resolves the continuous crash scenario that can
occur when keepalived fails to configure the VIF because one already
exists. It prevents keepalived from reusing a previous VIF interface
which does not completely match it configuration criteria.`
* vrrp: fix snmp code (cosmetic)
* vrrp: Fix the keepalived mib and agentx warnings. During Keepalived
startup, about twenty "duplicate registration" and a couple of "Failed
to connect to the agentx master agent" warning messages were issued.
Pairs of the "Failed to connect" warning messages were logged every two
minutes. The "duplicate registration" warnings happened because VRRP
called snmp_agent_init twice, once for the keepalived-vrrp MIB, and once
for the rfc2787-vrrp MIB, however each call to snmp_agent_init also
tried to register the keepalived-global MIB (which holds data like
Keepalived version number, SMTP server details, and a "from" email
address). It was the second attempt to register this keepalived-global
MIB that generated the "duplicate registration" warning. The registration
of the keepalived-global MIB is now only done once under the control of
a static variable. init_agent is also called just once under the control
of the same static variable to prevent it logging a warning message. The
"Failed to connect" warnings occur because Keepalived does not know how
to connect to the SNMP AgentX master server. By default the Agent X
master server is listening for MIB registrations on a local TCP socket
with a port number of 705.
* vrrp: Fix VRRP preemption taking too long. VRRP preemption may not work
correctly due to group expiry timers being incorrectly manipulated while
running down the MDT. Also, preemption can be disrupted if the VRRP group
receives an advertisement while running down it's timer.
* vrrp: Initial Implementation of VRRP statistics.
. Add VRRP counters, This is needed by the VRRP-MIB, and will provide
better insight into the operation of VRRP for users.
. Add SIGUSR1 and SIGUSR2 handlers
- SIGUSR1 allows users to dump current state of VRRP instacnes to
/tmp/keepalived.data
- SIGUSR2 allows users to dump VRRP counters to /tmp/keepalived.stats
* vrrp: Copy old VRRP stats on reload.
* vrrp: Seperate printing functions from vrrp_daemon.c. Seperate state
printing code from vrrp_daemon.c so that the code is better organized.
* vrrp: Track master router priority in VRRP.
* vrrp: Added 'Master priority' output to show vrrp detail.
* vrrp: Enhance keepalived vrrp to configure mltp-scripts. Currently,
keepalived vrrp only allows to configure single notification script.
This is a limitation ans should be extended so that keepalived vrrp can
notify multiple scripts about vrrp state changes.
* vrrp: Don't display ipsec ah password in log files. When authentication
type is selected as ipsec ah, password should not be displayed in the
log files.
* vrrp: Fix notify upon reload. When a notify script is configured after
Keepalived has been started, if other notify scripts are already
configured, these scripts get reinvoked even if the state has not
changed. This occurs when in backup state. When in master state, no
notifications are sent out at all if a new notify script is configured.
For the backup case, this problem occurs when the daemon is reloaded.
This causes vrrp to leave the state it's currently in, go to the init
state and from there, go back to backup. However, this transition
causes the notify scripts to be invoked, causing a redundant
notification to be sent. For the master case, there is no call to
notify_instance_exec(), hence why no notifications are seen at all.
The solution is to add a new field to the vrrp struct that stores the
notify scripts that were configured before reload. A new function has
been added to take advantage of this new field. Instead of calling
notify_instance_exec() when we are in the init state, we now call
notify_instance_exec_init(). This is a proxy function that modifies
the 'script' member of a vrrp structure to point to a new list
containing only scripts that have not previously been configured,
thereby preventing the sending of notifications that have already been
sent. This new list is created by utilising the new vrrp struct field.
Inside this new function, notify_instance_exec() is called using the
modified VRRP instance. When this call returns, the member is reset
back to its original value.
* vrrp: Keepalived extension to support VRRP version 3. Updated vrrp_header
and _vrrp_t struct to support version 3 params. Support to build vrrp_v3