forked from acassen/keepalived
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
5485 lines (5376 loc) · 300 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
2017-10-15 Alexandre Cassen <[email protected]>
* keepalived-1.3.8 released.
* parser: do not exit when glob() doesn't match any files.
* Use nodename as default id for conditional configuration.
If the node name returned by uname() is host123.abc.de, then
lines in the configuration file matching @host123 will match the
conditional configuration test. This means that it is no longer
necessary to specify the -i command line option if the conditional
configuration string used in the configuration is the node name.
* Option --i/--config-id parameter is not optional.
Since the config-id defaults to the hostname, there is no point
in allowing --config-id to be used without a parameter, just to mean
use the hostname.
* Use NULL instead of 0 for pointers in get_longopts struct.
* Some minor tidying up of the new JSON output code.
1. Use SIGRTMIN+2 rather than (_SIGRTMIN + 4)
2. Don't include JSON code if not building with VRRP
3. Some code alignment fixes
4. Some conditional compilation additions
* Add --signum command line option to report signal numbers.
Since keepalived is starting to use real time signals, and those
signal numbers are not fixes, this commit introduces a way to
ask keepalived to report those signal numbers.
* Stop command line option -i segfaulting.
* Fix config include files when file has no directory par.
When an include file name has no directory part, there is no
directory to change to, so don't try to do so.
* Use getcwd() malloc functionality if available.
* Add support for csh brace globs in config file names.
* Update documentation for config file include directive.
* Use fchdir() when changing direcories while reading include files.
The getcwd(3) man page recommends using open()/fchdir() rather than
getcwd()/chdir() since fchdir() is guarantee to return to the previous
directory even if directories have been renamed in between the first
chdir and the second. It also suggests that it is faster, and saves
mallocs or allocation of arrays on the stack of size PATH_MAX.
* Use alloc_value_block() for vrrp_vip_handler().
* Fix whitespace error introduced in commit 9458c9b9.
* Reinforce that '@' conditional config character must be 1st on line.
The '@' conditional configuration character must be the very first
on a configuration, meaning that there cannot even by whitespace
before the '@' character.
* Check whether GLOB_BRACE is supported (it is not part of POSIX.2).
* When building a docker image, it appears that autoheader is required.
* Fix IPVS virtual server setup with persistence.
* Remove a merge conflict .rej file accidentally added to git.
This commit also updates the .gitconfig file to ensure that .rej
files will not be added in the future.
* config synopsis - cleanup line endings and comment alignment.
* conf examples - clean eol whitespace.
* conf examples - clean triple line breaks.
* add pair of config options used in misc_check.
* clean surprise tab character.
* many whitespace fixes; some missing docu added to synopsis.
* config docs - apply code review markups.
* Trivial updates to latest format cleaning patches.
* Allow conditional configuration to work with include statements.
* Allow '@' conditional configuration to be preceeded by whitespace.
2017-10-01 Alexandre Cassen <[email protected]>
* keepalived-1.3.7 released.
* Allow broadcast address to be specified as '-' or '+'
When configuring an ip address with a broadcast address, allow the
use of - and + (like ip(8)) to clear or set the host specfic bits of
the address, i.e.
10.6.23.254/16 broadcast + result in a broadcast address of 10.6.255.255
10.6.23.254/16 broadcast - results in a broadcast address of 10.6.0.0
* Change some code layout and macro/variable names
* Print unicast peer addresses in /tmp/keepalived.data
* Add negative conditional configuration.
A configuration line starting @main will only be included if
keepalived is started with option -i main.
This commit adds configuration option @^main, meaning that the
remainder of the configuration line will only be included if
-i main was NOT specified.
* Fix calculation of checksum for VRRPv3 IPv4 unicast peers.
Alternate unicast peers were being sent adverts with the checksum
set to 0. The reason for this was that the checksum field was not
being set to 0 before the checksum calculation, hence causing the
calculated checksum to be 0 for the second, fourth, sixth etc
unicast peer.
* Generate README from README.md.
* Only declare (and use) auth variables if compiling with authentication.
authtype_mismatch and auth_failure are only used if authentication is
enabled.
* The vrrp_t vmac flag should be a bool.
* Add include guard for vrrp_print.h.
* Log some additional vrrp variables.
* Make checksum change backwards compatible.
This commits adds the ability of keepalived to revert to using the old
checksum calculation if it sees an advert that has an old checksum. This
means that if an old and a new version of keepalived are working
together, once the new version has seen an advert from an old version,
it will drop back to using the old style checksum, and so the two
keepalived instances will work together.
There is a slight problem with this, though. If the old version starts
when a new version is master, if will report bad checksums. This should
be fine, since keepalived should discard the adverts, time out and send
an advert which would make the new keepalived revert to old checksums.
Unfortunately, keepalived does not completely ignore bad adverts, since
it resets its master down timer, even for bad adverts, and so it never
times out. However, in this scenario, there will still remain one master
and all the other keepalived instances will be in backup state, and so
VRRP functionality is preserved.
As identified in commit bcf2936 until commit 67275d2 keepalived did not
work with VRRPv3 and more than one other unicast peer, so for migration
we only need to consider two unicast peers. To upgrade, first upgrade
the keepalived instance that is in backup mode. This will see old
checksums when it starts, and so start using old checksums. The other
keepalived instance can then be upgraded and it will also see old
checksums when it starts up. In order to switch to using new checksums,
temporarily add the following line in the configuration of each vrrp
instance that is in master state:
old_unicast_checksum never
and then reload the keepalived instance by sending it SIGHUP. After the
master has restarted, restart the backup with a SIGHUP, and they will
then be using new checksums. The temporary old_unicast_checksum never
lines can now be removed from the configuration.
* Add checker bind_if keyword.
If a checker binds to a link local IPv6 address, the interface has
to be specified.
* Make DBus service name configurable.
* Make --config-id option default to hostname.
This is the equivalent of specifying --config-id `hostname -s`, and
makes it more straightforward to deploy the same configuration to
multiple hosts.
* Issue warning if more than 1 dynamic misc_checker per real server.
If different scripts return different exit statuses, the priority
of the real server will keep changing. The solution is to combine
the functionality into 1 script.
* Improve DBus error handling.
. Always clear errors to avoid leaks
. Check for errors when emitting signals
. Check for errors when registering objects
* Stop test tcp_server leaving zombie processes.
* Fix persistence_granularity handling
1. vs->addr.ss_family should never be used to check address family of
vs since there may not be an address is using fwmark.
2. If using fwmark, the address family may not be known when parsing
persistence_granularity
3. Set address family from format of persistence_granularity if not
already set
4. Ensure entire string is a number and is between 1 and 128 for IPv6
5. Ensure netmask specified for IPv4 is solid
* Ensure always check return from inet_stosockaddr when parsing config.
* Add lthreshold and uthreshold to keepalived.SYNOPSIS.
* Merge virtual server group addresses and ranges into one list.
A single address can be treated as a range with only 1 address, so
this reduces the number of lists that need to be processed when
handling a virtual server group.
A number of corrections were also made re hton/ntoh(s|l).
* Remove redundant setting of real server weight.
* Don't use vs->addr.ss_family for address family of virtual server.
A virtual server won't use vs->addr if it is defined by a fwmark or
it is uses a firtual server group. vs->af is the correct field to use.
* Make ipvs_update_stats() little/big endian aware.
* Simplify ipvs_update_stats().
Don't run a state machine to collect all the stats, simple iterate
through the entries.
* Move fetching ipvs stats into ipvs_update_vs_stats().
* Remove some #defines in ipvs_update_stats().
* Streamline setup for changing ipvs configuration.
* Fix updating resolved notify script path names with parameters.
* Add silent option to test/tcp_server.
* Document default checker connect ip/port.
* Remove duplicate setting up of file name.
* Validate HTTP_GET and SSL_GET checkers.
Unsure that urls have a path specified, and that the checkers have
at least one url specified.
* Fix memory leak if SMTP_CHECK helo_name specified.
* Fix dumping of SMTP_CHECK host list.
* Don't allocate and copy default SMTP_CHECK helo name unless needed.
* Tidy up dumping SMTP checkers.
* Remove smtp_host_t typedef.
If is passed to functions that take a conn_opts_t parameter, so
we need to explicitly use the correct type.
* Simplify handling of host{} block in SMTP_CHECK.
This also allows specifying connect_ip, connect_port as well as
unsing host blocks.
* Add DNS_CHECK RRSIG and DNSKEY query types.
* Fix documentation re MISC_CHECK.
* Detect if no misc_path specified for MISC_CHECK.
If no path was specified, keepalived was segfaulting.
* Add some more error messages to socket_bind_connect().
* Checker connections aren't always TCP.
* Report if checker bind_if is missing
If a link local IPv6 address is specified for a checker to
connect to, then a bind interface must also be specified,
otherwise the connect() call fails.
* If a real server has inhibit_on_failure, configure it at start up
If a real server had inhibit_on_failure set, but it also had an
alpha mode checker, then the real server should be installed at
startup with weight 0 to be consistent with what would happen if
the checker had been successful but then failed.
* Improve handling of virtual server groups.
If multiple virtual servers use the same virtual server group, and
the virtual servers have different protocols, or the virtual server
groups are defined using only fwmarks and the virtual servers have
different address families, then multiple versions of the entries
in the virtual server groups will need to be created as IPVS
virtual servers.
This patch handles the creation and removal of the necessary different
virtual servers for the virtual server groups.
* Add virtual server protocol types SCTP and none for SNMP.
* Handle virtual server with no protocol specified
This is valid if fwmarks are being used.
* Warn if a protocol is set on a virtual server using firewall marks.
* Don't check !LIST_ISEMPTY(vs->rs) after config is validated
In validate_check_config() any virtual server without any real
servers is removed, so there is no need to check subsequently.
* Don't allow virtual server groups without any addresses for fwmarks.
* Fix and optimise handling of promote_secondaries.
The promote_secondaries flag was being cleared by the first vrrp
instance that stopped using an interface, rather than by the last
instance.
* Fix the setting of mcast address for checksum compatibility
It was using INADDR_VRRP_GROUP rather than vrrp_mcast_group4.
2017-09-15 Alexandre Cassen <[email protected]>
* keepalived-1.3.6 released.
* Ensure locations of pid files is consistent
Issue #563 identified that the generated keepalived.service has the
wrong location for the pid file. On investigating this it was discovered
that keepalived isn't following the GNU coding standards for location of
pid files; however, we can't now move the default location of pid files.
This commit ensures that the keepalived.service file's location for pid
files is consistent with where keepalived is placing them, but also adds
a configure option --enable-gnu-std-paths, which means that keepalived
will use ${localstatedir} for the location of pid files, while the default
remains /var/run
* Stop logging that preferred_lft has been set to 0.
Some users are interpreting the message as a warning, and hence are
unnecessarily avoiding using a /128 netmask for IPv6 addresses. The
message doesn't really tell us anything useful, so remove it.
* Handle not being able to load ip_tables or ip6_tables modules.
When running in a docker container it isn't possible to load kernel
modules, so we need to cleanly handle a failure to load the modules.
* Don't segfault if unable to load ip_vs module.
In a docker container it isn't possible to load a kernel module. The
check code was detecting that it couldn't load the module, but the
checker process, when cleaning up prior to exiting, was assuming that
certain pointers had been initialised which hadn't been when an error
was detected so early in the initialisation.
This commit adds testing for uninitialised pointers during the exit
sequence.
* Fix releasing malloc'd memory for saved core pattern.
* Fix memory leak when adding iptables entries.
* Handle missing virtual server configuration.
keepalived was segfaulting if a virtual server had no real servers
configured. There were also issues of checkers running even if there
was missing essential configuration from a virtual server which meant
it could be set up. The problems were a virtual server group specified
but it didn't exist, a virtual server group with no configuration, and
a virtual server address family not match the address family of a virtual
server group.
* Don't attempt to remove ipsets if ipset handling not initialised.
* Delay initialising IPVS until affter processing configuration.
If IPVS isn't configured, there is not point in loading the ip_vs
module.
* Fix conditional compilation tests for _HAVE_LIBNL3_
* Make dynamic flag bool.
* Don't report exit status of misc_check scripts.
The result of a change in status from a misc_check script is reported
by the code anyway, so to log any non-zero exit code is superfluous and
annoying.
* Work around conflict between kernel and libipset header files.
ipset copies linux/netfilter/ipset/ip_set.h (and other) header
files, producing local copies that are installed as
libipset/linux_ip_set.h etc as part of the libipset development
package. Unfortunately although the kernel changes the include
guards when processing its source code, ipset does not, and so
the duplicated header files have different include guards.
This patch detects if the include guards don't match, and if so
if linux/netfilter/ipset/ip_set.h is included, it defines the
include guard used by libipset/linux_ip_set.h before the latter is
indirectly included.
* add Dockerfile.
* Fix detecting default script uid/gid.
* Stop segfault when keepalived can't load ip_vs module.
* Add some additional docker support files and add make target docker.
The configuration file installed by make install isn't ideal to run
keepalived with, so add a simple keepalived.conf that will be
installed into the container.
Add make target docker, to build the docker image.
Add docker/README to give some information about building and using
containers (this is mainly so that I don't forget how to the details).
* Remove a line of debugging code.
* Don't complain about keepalived_script user if not needed.
keepalived logged a warning every time if the keepalived_script user
didn't exist. We only need that warning if there is a script that uses
the default user, and an alternative defult user isn't specified.
* Fix relative script path names with embedded spaces.
The space wasn't being restored after resolving the path name.
* Fix memory leak if notify scripts specified multiple times.
* Remove some residual debugging messages.
* Fix memory leak if quorum up/down scripts specified multiple times.
* Use realpath() to canonicalize script names.
* Fix missing PARAMETER_UNSET, which caused the global value of
vrrp_higher_prio_send_advert not to be used for each VRRP instance.
* Remove unused variable introduced in commit 1c5bfa29.
* Fix using virtual server groups following commit 5ca36cb.
* Set address port to be sequence number for virtual server group.
The format_vs() function uses the virtual server address port as
the sequence number of the virtual server instance using the virtual
server group, so we need to set it up.
* Warn if real server has no checkers when alpha mode.
If a virtual server is configured with alpha mode, and a real server
has no checkers, the real server will never be able to be activated,
so generate an appropriate warning.
* Only delete virtual server once if using a virtual server group.
If multiple virtual servers are using a virtual server group, the
virtual servers are defined by the virtual server group, and so they
should only be deleted for the first virtual server using the group.
There is still an issue that the configuration of all virtual servers
using the virtual server group needs to be consistent.
* Add further checks for LVS configuration.
* Document additional scheduling algorithms for IPVS.
* Change virtual_server_t loadbalancing_kind to forwarding_method.
The variable name loadbalancing_kind didn't represent the meaning of
the parameter, so change it to forwarding_method.
* Add fo and ovf scheduling types to SNMP.
* Only check one packet scheduling if supported.
* Add lvs_method per real server.
The lvs_method should be settable for each real server within a
virtual server. This commit maintains existing default behaviour
by using the lvs_method set against the virtual server as the default
for the real servers, but adds the option to configure the lvs_method
individually for each real server.
* Fix type in printing config of scripts.
* Convert some spaces to tabs.
* logger: output timestamps to console logs.
* Optimise handling of config_id in parser.
* Fix some typos.
* prog_type variable doesn't make sense when building a DEBUG version.
The DEBUG version runs everything in a single process, and to the
prog_type variable is meaningless in this case. This commit excludes
the prog_type variable by conditional compilation when building a
DEBUG version.
* Add home, -nodad, mngtmpaddr, noprefixroute, and autojoin address flags.
* Update documentation for commit cc67476.
* Add notify FIFO.
pull requests #568 and #587 and issue #584 have all identified that if
notify scripts are run in close succession, then order if processing of
those scripts is indeterminate, and this is causing systems that are
monitoring the state of vrrp instances to have the wrong state.
There have been various suggestions about how this should be resolved,
principally along the lines that the notify scripts should be run
synchronously, i.e. a notify script should not be run until the previous
notify script completed. While this would work, it adds some overhead to
keepalived, which currently does not monitor the exit status of notify
scripts.
There is a further issue with notify scripts that if a large number of
events occur in rapid succession (e.g. due to an interface flapping), this
can cause a large number of child processes to be created very rapidly.
This commit adds an alternative method for external processes receiving
notification of events. Instead of forking a script for each event, keepalived
will write to a named pipe. An external process can then read the pipe to
receive notification of events, and process them appropriately. This is
guaranteed to deliver events in the correct order. It also has the benefit
that there isn't the overhead of forking a child process for each event.
* If can't get local host name, set default router_id to "[unknown]".
Issue #588 reported that keepalived was segfaulting when generating
an SNMP trap in strlen(global_data->router_id), which presumable is
due to global_data->router_id being NULL. As a precaution set
router_id to "[unknown]" if get_local_name() fails".
* Implement SNMP reporting smtpServerPort.
Commit 128cd24 added functionality for specifying smtp server port
and commit bcb09b8a added smtpServerPort to the keepalived MIB, but
no code was added to report the port. This commit adds that functionality.
* Don't use PATH when executing FIFO script.
The path has already been resolved as part of checking the script
security, so there is no need to search the path.
* Log error if unable to execute FIFO notify script.
* Pass FIFO name to notify_fifo_script as parameter.
* Add FIFO notify for LVS notifies.
To match the FIFO notifies for VRRP, this commit adds FIFO notifies
for LVS. There are now three FIFOs available, a global one that
will send output for VRRP and LVS, one for VRRP only and one for
LVS only.
* Fix conditional compilation for --enable-debug
Commit 7947247 attempted to sort out making keepalived work with
--enable-debug, but unfortunately it used the wrong conditional
compilation variable (DEBUG instead of _DEBUG_). This commit
corrects the conditional compilation tests.
* Include protocol in virtual and real server output.
* Stop segfaulting if no script given for a vrrp_script.
* Fix a _DEBUG_ conditional compilation test.
* Fix incorrect expression in clear_services().
* Fix use htons() instead of ntohs().
* Fix bad file descriptor error at reload with no virtual servers.
* Delete disabled inhibit servers at reload.
* Add logging to remove sorry server at reload.
* Fix bad file descriptor error at reload with no virtual servers.
* Delete disabled inhibit servers at reload.
* Fix thread_cancel() for timed out threads.
* build: add basic .travis.yml file
* README.md: rename from README.
* build: add build status tag in readme file
All that's needed now, is for user `acassen` to
go to `https://travis-ci.org/` login with the Github
account, import repos from Github, and enable build
for keepalived [a checkbox/button].
* Set sorry_server's fowarding_method.
* Further fix for thread_cancel() for child timeout threads.
Commit ade3d699 fixed removing read and write timeout threads
from the ready queue when they are cancelled. This commits adds
removing child timeout threads from the ready queue too.
* Fix warnings from ignoring seteuid/setegid return results.
* Fix dynamic linking with early versions of libnl3 without nla_get_s32.
* Updated autoconf files due to autoconf upgrade.
* Fix compiling with namespace collisions in net/if.h and linux.if.h.
* Update travis configuration.
This commit includes the installation of development library
packages, updated kernel header files, using trusty for the builds,
and adding more build options.
* Reinstate distributing (renamed) README.md file.
* More updates for updated automake/autoconf.
* Fix new warnings produced by gcc 7.
* Migrate failed checkers at reload (provisional implementation).
* Implement comparison of checkers.
genhash: libraries to link with should be put in LDADD, not LDFLAGS.
* configure.ac: fixed build on older systems, namely CentOS 6.
Provide AS_VAR_COPY if missing and downgrade autoconf dep to 2.63.
* Fix worng migrate of checker-id.
* Set active if new failed_checkers is empty.
* Fix typo in interface details printing.
* Enable vmacs to work when sysctl net.ipv4.conf.all.rp_filter > 0.
A number of distros now set net.ipv4.conf.all.rp_filter = 1 by default.
This means that when a vrrp instance is in the master state, it cannot
receive adverts sent by a higher priority master, and hence we end up
with 2 masters.
I tried an alternative of receiving on the base interface, but no packets
that have the same source MAC address as an interface on the system
(i.e. the vmac interface) get delivered to the socket.
For distros such as Fedora, RHEL, CentOS, ArchLinux, all.rp_filter = 1
due to systemd commit
https://github.com/systemd/systemd/commit/1836bf9e1d70240c8079e4db4312309f4f1f91fd
The reason given for the commit is to work around a boot-time race condition
where interfaces created before default.rp_filter is set do not get the
updated default.rp_filter setting, and so the all.rp_filter setting is used
to override the individual interface settings. This doesn't seem the right
solution to the problem, since it prevents any interface running with
rp_filter = 0, and that is what we need for vmacs. I have filed an issue
report for systemd at https://github.com/systemd/systemd/issues/6282, but
in the mean time we need to work around the issue. Ubuntu sets all.rp_filter=1
in /etc/sysctl.d/10-network-security.conf provided by the procps package.
Debian doesn't set all.rp_filter.
The only solution I have found, and I am not entirely happy with this since
it has effects beyond keepalived and affects the system as a whole, is to set
all.rp_filter = 0. In order to seek not to change the operation of the system,
if default.rp_filter < all.rp_filter, default.rp_filter is set to all.rp_filter,
thereby ensuring that any new interfaces created will take the original value
of all.rp_filter. It then iterates through all existing interfaces, and
{interface}.rp_filter is set to the value of all.rp_filter if
{interface}.rp_filter < all.rp_filter. all.rp_filter is then set to 0.
This means that all interfaces should behave in the same way as before, since
the behaviour of rp_filter is defined by the maximum of
{interface,all}.rp_filter, but we are not able to operate the vmac interfaces
with rp_filter = 0. When keepalived exists, it restores the original settings
of rp_filter if they are the same as what we set them to.
* Only restore rp_filter on interfaces if same as we set them to.
If rp_filter has been altered since we set it, then do not restore
it to the original value.
* Update files for build fix commits.
Commits 2cccc97 and a932cf2 provided fixes for building on CentOS6.
This commit updates genhash/Makefile.in in line with
genhash/Makefile.am and adds a comment to autoconf.ac regarding
when autoconf introduced support of AS_VAR_COPY.
* Fix build error at when _HAVE_IPV4_DEVCONF_ was undefined.
* Remove unnecessary parameter compare.
* Resolve compiler warning introduced by commit 8361b11.
* Remove debugging log messages added in commits 99fe626 and 6ec26e0.
* Fix compiler warning and remove unwanted log messages.
* Make a couple of checker variables non global.
* Correct comparison for checker compare in migrate_failed_checkers.
Commit 2ff6b3f changed the sense of the comparisons of checkers,
but didn't make the corresponding change to checking the result.
* Fix keepalived.doc(5) man page.
* Add virtualhost config for real servers.
Different real servers may want different virtualhost config
settings. The real server virtualhost setting overrides the
virtual server virtualhost setting.
* Allow virtualhost to be specified per checker and per url.
* Fix compiling with SNMP enabled.
* Fix compiler warnings when use configure --enable-conversion-checks.
* Fix an unintentional case fall-through.
gcc 7 identified two case statement fall-throughs. One was intentional,
but the other was a bug. The latter is now fixed, a comment is added
for the former so the warning isn't generated.
* Fix commit cc67476 to allow flags for static and virtual ip addresses.
* Fix handling of more recent ip address flags.
Recent ip address flags have exceeded 8 bits, and so the IFA_FLAGS
attribute needs to be used, rather than the ifa_flags field.
* Fix typo in help.
2017-03-19 Alexandre Cassen <[email protected]>
* keepalived-1.3.5 released.
* Ensure nopreempt is not set if address owner.
* Remove hardcoded paths from init files.
* Add configure option to override system init type.
* Fix some configure tests for init type.
* Add support for ip rules uidrange option.
This option was added in Linux 4.10.
* Resolve compiler warning on 32 bit systems.
There were two warnings in lib/timer.c for signed vs. unsigned
comparisons on 32 bit systems.
* Add missing documentation for ip rule uidrange.
* Include snapcraft.yaml tar file.
* Remove extraneous EXTRA_DIST directory.
* Add library requirements for ArchLinux.
* Allow tracking and misc_check scripts time to terminate after
timeout. If a script exceeds the timeout, it is sent a SIGTERM,
and then if it still doesn't terminate, it is sent a SIGKILL.
The problem was that the script was only allowed 2 microseconds
to terminate, whereas it should have been 2 seconds.
* Fix script paths when converted to absolute path names.
If a tracking or misc_check script is not specified by a fully
qualified path name, but rather it is resolved via PATH, the updated
patch name wasn't being saved for tracking or misc_check scripts.
* Remove yet more hardcoded paths.
* Make git ignore keepalived.service file.
* Streamline signal handling initialisation.
* Report track script name if it times out.
keepalived was simply reporting that pid nnnn had timed out, which
didn't give any indication of what script it was that had timed out.
This patch now means that the script name will be logged rather than
the pid.
* Fix conditional configuration for config read via alloc_value_block().
The code for handling conditional configuration was in the wrong function.
This commit move it to read_line() so all configuration is read in the
context of @system_id conditional lines.
* Fix compiling with --disable-vrrp.
When building without vrrp, the checker process still needs to
know about IP address creationg and deletion in order to allow the
ha_suspend configuration option to work.
* The checker process never needs to monitor interfaces.
* Move vrrp_ipvs_needed() to vrrp_daemon.c.
* Remove some unnecessary includes of check_data.h.
* Make ha_suspend work when building without vrrp.
Support of ha_suspend was only enabled when keepalived was built
with vrrp support. There may be other processes that are adding and
deleting ip addresses, so support of ha_suspend should be enabled when
building without vrrp support.
Also, the vrrp process doesn't need to call the update_checker_activity()
function when addresses are added or deleted.
* Don't use netlink address monitoring if not using ha_suspend.
* Make --release-vips (-X) option work.
'X' was not included in the optstring for getopt_long(), and so
--release-vips option was not recognised.
Further, only enable VRRP and checker specific options if compiled
with that functionality.
* Only report added/deleted addresses if relevant to keepalived.
Logs could get full of messages reporting address addition/deletion
that were of no relevance to keepalived. By default, keepalived will
now only report address additions/deletions with the -D option if
the address is relevant to keepalived.
The -a option is added to log all address additions/deletions.
* Remove all #ifdef _WITH_LVS_ from checker code.
If building the checker code, _WITH_LVS_ is always defined (_WITH_LVS_
means build the checker code), so there is no point testing if it is
defined in any of the checker code.
* Only include vrrp header files when building with vrrp and also for
check. Make sure vrrp header files are only included if building with
vrrp (i.e. without --disable-vrrp), and likewise only include check
header files if compiling with LVS support (i.e. without --disable-lvs).
* Add test/tcp_server.c for testing TCP_CHECK.
* Make -a option work without ha_suspend.
* Fix integer types. The correct, standard integer types are uint8_t and
uint16_t, not u_int8_t nor u_int16_t (the latter being kernel types).
glibc and uClibc may define the kernel-compatible types, but musl (which
is standards-compliant) does not.
* Fix warning when compiling without libnl.
* Add including <stdint.h> where those types are used.
* Add option to not use dlopen() for libipset, but link at link time.
* Remove superfluous (duplicated) block of code.
* Add option for dynamic (run-time) linking to libip[46]tc.
* Fix dynamic linking of libiptc without ipsets.
* Check iptables/ip6tables commands available before using them.
* Fix some conversion check compiler warnings.
* Make configure option --disable-routes do something.
* Don't link to libdl if not needed.
* Fix compilation with --disable-vrrp.
* Don't link to libraries not required by configuration.
* Remove all authentication code if --disable-vrrp-auth specified.
* Remove FALLBACK_LIBNL1 and use existing _HAVE_LIBNL1_ instead.
There was no point in a separate FALLBACK_LIBNL1 since it and
_HAVE_LIBNL1_ always had the same value.
* Add udp functionality to tcp_server test program.
* Fix check_conditional_tests script.
* Add option for dynamic (run-time) linking to libxtables.
* First stage of run-time linking to libnl-3.
* Dynamic/static linking options of libnl/libnl-3, libip[46]tc and
libipset. libnl/libnl-3, libip[46]tc and libipset can all be dynamically
linked at run-time, and if they are not available, keepalvied will use
the alternative code which is used when the libraries cannot be linked
a build time.
This means that a single executable keepalived can be created that will
use the libraries if they are installed on the target system, but will
fall back to the alternatives if the libraries are not available.
This is useful for build environments such as Buildroot which will not
force optional dependencies (see pull request #540), since now keepalived
can be built so as not to force the optional dependencies, but to make
use of them if they are installed.
* Fix building without libnl/libnl-3.
* Don't allow adver_int to be rounded down to 0.
* Fix creation of iptables entries on more recent kernels.
On a 4.9.13 kernel iptables entries were being created with
return-nomatch ! update-counters ! update-subcounters, as shown by
the iptables command.
Although it is not understood why these options are being added, it
transpires that the problem occurs when using version one of the
xt_info_set_match, but doesn't occur when using version 4 of the
structure.
This patch ensures that the latest version of the structure that is
supported by the kernel is always used.
* Fix updating /proc/sys/kernel/core_pattern.
Reset file offset to beginning of file between reading the file and
writing new contents.
* Fix printing of smtp_server port.
* Handle failure if fail dynamically to get address of a libipset function.
* Be defensive in case fail to get addres of a libipset function dynamically.
* Fix evaluation of library names for run-time linking.
* Show failed ipset dl function.
* Provide explicit DL error messages and fix autobuilt snap version.
* Fix formatting of email message for CHECK_SMTP failures.
The format string passed to smtp_final() can contain format specifiers
so a further pass through printf is required.
* Add printf format attribute to vlog_message().
* Add higher_prio_send_advert vrrp config option.
There is a problem if two vrrp instances, due to becoming isolated,
both become master, since they will both have sent GARP messages.
Setting higher_prio_send_advert and garp_lower_priority_repeat means
that if a master receives a higher priority advert, it will send its
own lower priority advert before it transitions to backup. The higher
priority master, on receiving a lower priority advert, will then send
GARP messages, and so the ARP caches will then be correctly updated.
Using the higher_prio_send_advert option may be considered not to
conform to the VRRP protocol (725) to (765) in state description of
RFC5798, however, since which of the two masters advertises first
after they can both see each other again is random, there is a 50%
chance that the lower priority instance will send an advert before the
higher priority instance, so to all external observers it will appear
that this is the case, or at least that the adverts overlapped.
* Fix higher_prio_send_advert in lower priority master.
* Load the ip_tables module if using iptables.
We cannot guarantee that the ip_tables modules has been loaded, so
we load it ourself if using libiptc.
* Fix (cosmetic) conditional compilation test.
* Fix building with --enable-libxtables-dynamic --disable-libiptc.
* Enable compilation with namespaces if SYS_setns is not defined.
* Fix compiling with struct xt_set_info_match_v0.
* Check to libnfnetlink.h and netlink.h with libnl v1 too.
* Workaround missing libraries from pkg-config --libs libiptc.
Old version of libiptc don't report requirements on libip4tc and
libip6tc, so check if the output from pkg-config is only -L.* -liptc
and if so add -lip4tc -lip6tc.
2017-02-18 Alexandre Cassen <[email protected]>
* keepalived-1.3.4 released.
* Fix generation of lib/git-commit.h when building a tagged commit.
* Define GIT_DATE and GIT_YEAR when generating default git-commit.h
This issue was caused by commit 5287f03 which didn't define GIT_DATE
and GIT_YEAR in all circumstances.
2017-02-14 Alexandre Cassen <[email protected]>
* keepalived-1.3.3 released.
* Fix unitialised use of misck_checker in script timeout.
* Fix detection of no netlink being installed.
* Fix conditional compilation for LIBIPVS without netlink.
* Terminate child processes if parent dies.
If the parent keepalived process is killed, the child processes will
be orphaned and can cause problem when attempting to restart
keepalived. This patch makes use of prctl with PR_SET_PDEATHSIG such
that all child processes will receive SIGTERM if the parent process
dies.
* Ensure syslog and mem_check_log open before using them.
A segfault was occuring when --enable-mem-check-log option was
selected, due to attempting to write to the log file before it had
been opened. It was also evident that there could be attempts to
write to syslog before that had been opened too.
* Fix building on Centos 7/RHEL 7 re lightweight tunnel encapsulation.
RedHat have partially backported lightweight tunnel encapsulation
into their kernel, but not included MPLS or ILA. We need to have
conditional compilation for LWTUNNEL_ENCAP_MPLS and LWTUNNEL_ENCAP_ILA
rather than just checking for RTA_ENCAP.
* Update documentation for tracking scripts weight 0.
weight default is 0, which means tat a failure implies a FAULT state.
* Reinstate code checking module ip_vs loaded.
Commit d900df2 removed a bit to much code that looked as though it
wasn't doing anything, with the result that the check of whether the
ip_vs module was loaded didn't occur.
This commit reinstates the code for checking, and if necessary loading,
the ip_vs module, but also sanitises the code slightly.
* Fix some more compiler warnings.
* Fix a typo in a help message in configure.ac.
* sorry_server: keep sorry_server on reload.
* sorry_server: set it up on start or reload if quorum is down.
on start: in alpha mode.
on reload: if changed, or no previous sorry_server.
* Added doc for priority 4th parameter to notify script.
* ipwrapper.c: make functions void if return value not used or constant.
Several functions in check/ipwrapper.c were always returnung the same
value, and the code calling the functions then checked and returned an
error if the return value was not the value always returned. Also, for
some functions returning a value the return value was never checked in
the calling function.
Making the functions void, and removing the if (...) makes the code easier
to read, and potentially slightly more efficient.
* Add snapcraft.yaml for CI build publication.
* Fix missing documentation for 4th parameter of notify action.
* Make builds reproducable, and copyright date reflect latest commit.
Pull request #503 provided an update to facilitate reproducable builds,
and also ensure that the copyright date doesn't postdate the last source
code modification. Unfortunately the commits required manual updates to
change the copyright year, thereby creating maintainability issues. The
commit also allowed fake build dates to be specified.
This commit takes an alternative approach, and takes the dates used for
the copyright message and the version date from the date of the last git
commit.
If the code is build from within a git tree, this is straightforward. On
the other hand, the code may be build from tarball, so we ensure that
the lib/git-commit.h file is updated when the tarball is built, and
included in the tarball.
* Add option to force building without libnl/libnl-3.
This option is really only for test purposes to build keepalived
without libnl even though libnl is installed.
* Log errors if configure IPVS with IPv6 if not using libnl.
The socket interface for configurating IPVS does not support IPv6,
so rather than leaving the user with the error message
"Operation not supported with specified address family"
give a meaningful message in the log.
At configure time, a warning will also be generated stating that
IPVS will not support IPv6.
* Ensure IPVS address families match.
Don't allow a mixture of IPv4 and IPv6 addresses in a virtual server
group, or within a virtual server.
* When dumping an IPVS IPv6 address range, use hex.
* Log if virtual_server_group doesn't exists, or address family mismatch.
If a virtual server is configured to use a virtual server group but that
virtual server group doesn't exist, then log an error.
Also, if the address family of the virtual server group and virtual server
don't match, log an error as well.
We really ought to be removing the virtual server from the configuration,
but I haven't worked out how to do that yet.
* Don't flag changes to automake/conf generated files as source changes.
The output of keepalived -v adds a '+' if there are uncommitted changes to
the source code. However, we aren't interested in changes to the autoconf
or automake generated files, since these aren't really "source" files, and
are only included in the git repo to allow building on systems without
autoconf/automake. Further, the differences may simply be due to different
versions of autotools being used.
* Minor formatting updates to Sphinx documentation.
* Enable configure to work with ash.
* Handle sysconf() returning -1 for _SC_GETPW_R_SIZE_MAX.
* Report ignoring virtual server if group specified doesn't exist.
It's too difficult to remove the virtual server from the configuration,
but the error will be reported in the log, and so the sysadmin should
resolve the configuration.
* Updated snapcraft.yaml location.
* Move snapcraft and reflect master version.
* Add libipset3 to snap stage packages.
* Allow for keepalived to be a command in /snap/bin/ as well as a daemon.
* Add 'source-type: git' to avoid dirty commit versions.
* Update gitignore for clean snap commit versions.
* Resolve not adding '+' to git version in snapcraft builds.
This is a temporary workaround to the problem of snapcraft deleting
the snap/snapcraft.yaml file from its clone of the git repo (see
https://bugs.launchpad.net/snapcraft/+bug/1662388 for details).
* Add cleaning of snapcraft generated directories/files.
* Add support for Alpine Linux.
This commit adds detection and support of the OpenRC init system.
* Add details of what libraries are needed for various Linux distros.
* Force recreating automake/autoconf files when building with rpm.
If an autoconf/automake source file is patched as part of the rpmbuild
process, then some of the autoconf/automake generated files may be
regenerated, and this can cause a mismatch if the versions of autoconf/
automake on the system building the rpm don't match the versions
that were used to generate the files that have been committed to git.
This patch changes the keepalived.spec file to always run autoreconf -f -i
to ensure the generated autoconf/automake files are aligned to the right
version.
2016-11-26 Alexandre Cassen <[email protected]>
* keepalived-1.3.2 released.
* Correctly handle return code from system() call.
If we want to check for an exit status, WIFEXITED(ret) must be
checked first.
* Fix compilation where SNMP enabled.
* Fix a couple of SNMP errors.
The length of KEEPALIVED-MIB::version was being returned a sizeof(char *)
rather than strlen(char *).
VRRPv3 vrrpv3GlobalStatisticsDiscontinuityTime was being completely
mishandled.
* Add additional files needed to build from git without autoconf.
* Don't save and restore current directory twice with config includes.
* Don't recognise an executable file as a configuration file.
* Allow maximum path names for configuration files.
* Don't check for include file after reaching EOF.
* Fix a segfault if terminating at startup do to interface not found.
* notify: log error while performing set{gid,uid}.
Log error message while setting goup and user before system call.
Maybe we should avoid system call on error if {gid,uid} are used, would
be more secure.
* Don't execute a script if setuid or setgid fails.
This was suggested in the comment of commit 849615d and is clearly
the right (secure) thing to do.
* If a script doesn't have a '/' in the name, search PATH for it.
This also handles spaces in script specifications where they are
parameters.
* Don't allow accept when strict mode set if not address owner.
This commit changes keepalived from just issuing a warning to also
disable accept mode when strict mode is set.
Patch submitted by levin1.
* Added init_fail setting to assume failed state for vrrp_script during
startup of keepalived.
* When checking script security check set uid/gid bits too.
Although the setuid/gid bits are ignored for scripts, they are
not ignored for binary executables, and there is no point in having
the bits set for scripts. So we play safe, and simply check those
bits, and don't attempt to ascertain if it is a script or not.
* Disable scripts that aren't executable.
system() on a non-executable script will fail, so we may as well
just not try executing such a script.
* Exit if can't read configuration file.
If we have no configuration, we have nothing to run, so exit.
* Don't chdir("/") if not forking.
In keepalived_main() there is a comment that the working directory
is / unless keepalived is run in non-forked mode, in which case it
remains the current working directory when keepalived was run.
Unfortunately start_vrrp_child() and start_check_child() were
executing chdir("/") regardless of whether they had been forked or not.
Since the parent process does chdir("/") if it is appropriate, the
children will inherit that, so they don't need to chdir() at all.
* Only set umask(0) in parent process.
The children inherit it from the parent, so no need to set it in
the vrrp or checker child processes.
* Further changes for script init state failed.
* notify: use _GNU_SOURCE.
Just to make compiler happy about inconsitent declaration of mempcpy
and strchrnul. Just cosmetics here.
2016-11-21 Alexandre Cassen <[email protected]>
* keepalived-1.3.1 released.
* Ensure lists aren't empty when checking script security.
* Correctly check security of scripts with parameters, and check
checker notify/quorum scripts
* Check security of real/virtual server notify scripts.
* Handle space in filenames appropriately when checking script security.
The generic notify scripts can have spaces in their filenames, all other
scripts spaced delineate parameters.
2016-11-20 Alexandre Cassen <[email protected]>
* keepalived-1.3.0 released.
* Add DBus functionality to VRRP.
Add new pthread off VRRP to expose DBUs service org.keepalived.Vrrp1
through a GMainLoop.
Create a general /org/keepalived/Vrrp1/Vrrp DBus
object and a /org/keepalived/Vrrp1/Instance/#interface#/#group# object for
each VRRP instance.
Interface org.keepalived.Vrrp1.Vrrp implements methods PrintData,
PrintStats and signal VrrpStopped.
Interface com.keepalived.Vrrp1.Instance implements method SendGarp
(sends a single Gratuitous ARP from the given Instance),
signal VrrpStatusChange, and properties Name and State (retrievable
through calls to org.freedesktop.DBus.Properties.Get)
Interface files are located at location /usr/share/dbus-1/interfaces/
A policy file, which determines who has access to the service, is
located at /etc/dbus-1/system.d/
* Resolve DBus working after a reload
thread_destroy_list() was closing file descriptors of read and write
threads, but we wanted the DBus pipes to remain open. It transpires that
closing the fds in thread_destroy_list() is unnecessary, since they are
closed elsewhere anyway, so stop closing the fds in thread_destroy_list().
* Add stronger compiler warnings (-Wextra).
The following bugs were discovered:
check_smnp_realserver_weight()
comparison if unsigned value < 0
alloc_ipaddress()
comparison of unsigned == -1 and not checking
return status of find_rttables_scope() correctly
read_line()
accessing element buf[18446744073709551615]
ie. buf[2^64-1], which is the same as buf[-1].
The following improvements to the code were made:
Many unused function parameters
either removed or marked unused
Many signed vs. unsigned comparisons
In most cases variables change to be unsigned
Lengths being stored in signed variables
* Rationalise checking of libnl-3.
* Bring generation of rpmbuild keepalived.spec file up to date
The keepalived.spec file is now created to match the options passed
to configure. It also detects if the system init process is systemd,
upstart or the traditional SYSV init system.
* Add more BuildRequires to keepalived.spec.in.
* Further improvements to keepalived.spec.in for systemd systems
* Change some configure.ac variable names due to using PKG_PROG_PKG_CONFIG
* Fix configure.ac to make RedHat hardened rpm builds work
CFLAGS, CPPFLAGS and LIBS variables were not being preserved by
configure.ac, and this caused needed CFLAGS to be lost when
configure was run, resulting in a build failure.
This commit ensures the flags are all preserved.
* Allow for automake macro AM_PROG_AR not existing.
* Add support for UDP socket to layer4 library.
* Add DNS checker.
* Update documentation for DNS health checker.
* Fix compile check for PE selection support.
* Add file missing from add-dns-checker commit.
* Update commits for correctly checking for IPVS_SVC_ATTR_PE_NAME.
The upadted configure and lib/config.h.in weren't included in the commits,
and to be consistent the comment on what Linux version introduced the feature
is in configure.ac if the test exists in configure.ac
* Fix conditional compilation test for FRA_OIFNAME.
* Fix compilation test for IFLA_INET6_ADDR_GEN_MODE.
* Fix compilation test for IPVS_DEST_ATTR_ADDR_FAMILY.
* Fix compilation test for IPVS_DEST_ATTR_STATS64 and IPVS_SVC_ATTR_STATS64.
* Fix compilation test for RTA_VIA.
* Fix compilation test for CLONE_NEWNET for DBus.
* Fix issue of overwriting the original disposition of signals.
* Improve forced termination of script execution process and its offspring.
* Improve propagate important signal for the script process groups.
* Use argument instead of static variable.
* Fix bug around the process group.
* Use SIGTERM instead of SIGHUP.
* Stop linking with -lipset.
libipset (if used) is dynamically linked at runtime, and so keepalived
shouldn't be linked with -lipset.
Linking with -lipset was erroneously added when converting the build
system to use automake.
* Report diagnostic message if dlopen() fails.
* Fix loading of ipset library when development library not installed.
* Don't use ipsets with namespaces on Linux < 3.13 by default.
On Linux prior to version 3.13, ipsets were not network namespace
aware, so by default the use if ipsets is disabled if keepalived
is running in a network namespace. Configuration keyword
'namespace_with_ipsets' enables ipset use with a network namespace
on these older kernels.
* Fix reporting of script exit status.
* Update documentation and fix compiler warning re ipset with Linux < 3.13
* Make report_child_status() check for vrrp and checker child processes
report_child_status() checks for exit status KEEPALIVED_EXIT_FATAL
and KEEPALIVED_EXIT_CONFIG, but these are only relevant for the vrrp
and checker child processes, and not for track scripts etc. This commit
adds a check that the terminating process is the vrrp or checker process
before checking those exit statuses.
* Add no_accept mode for VRRPv2 and standardise VRRPv3 with it
RFC3768, for VRRPv2, specifies that packets addressed to the VIPs
should not be accepted, unless the router is the address owner.
This commit implements not accepting the packets when running VRRPv2,
but only if no_accept is specified, or running in strict mode. The reason
for not making no_accept the default (which would confirm to the RFCs) is
that if running IPVS, or any other service on top of the VIPs, we need to
be able to accept the packets, and requiring everyone to specify accept
in that case would not be reasonable.
Prior to this commit, VRRPv3 was blocking packets sent to VIPs (and eVIPS),
unless the vrrp instance was the address owner, or accept mode was set. This
commit changes the default behaviour for VRRPv3 to make it consistent with
VRRPv2 (i.e. either strict mode or no_accept needs to be specified to be
conformant with RFC5978).
* Tidy up logged messages if ipset initialisation fails.
* Streamline MII polling.
We only need to read 2 MII registers, and not 32 as was previously being
done.
This commit also uses the <linux/mii.h> header file for field and
register definitions.
* Simplify bitops.h code.
* Resolve warnings generated with compiler option -Dconversion.
Most of the warnings were resolved by changing the data types of some
variables. Others required casting, particularly where kernel interfaces
are involved.
There were a few instances discovered that were errors, for example comparing
an unsigned int against -1, and assigning a 16 bit value to a uint8_t.
This commit also adds configure options --enable-conversion-checks and
--enable-force-conversion-checks, the former adds compiler option -Dconversion
unless the compiler is an old version that throws up false warnings. Option
--enable-force-conversion-checks adds -Dconversion even if the compiler throws
up known false warnings.
* Fix some minor errors/typos in doc/keepalived.conf.SYNOPSIS.
* Fix keyword error in sample configuration.
* Fix typo in genhash error message.
* Fix address ranges for virtual server groups
The handling of address ranges was only written for IPv4 addresses, and
only worked on little endian systems.
This commit enables IPv6 address ranges to work, and also should now
work on big endian systems (but I don't have access to a big endian system
to test it). Validation is added to ensure that the end of the range is after
the start of the range, and that the value of the range end does not exceed
255 (for IPv4) of ffff (for IPv6).
There is also some optimisation of the code, so that netmask is not set (since
it isn't used by the kernel), and the port is set once only, before the loop
through the addresses.
* Add --enable-Werror configure option.
* Add promote_secondaries keyword for vrrp_instance block.
If two IPv4 VIP addresses are in the same CIDR, and the primary
address is removed, then by default any other address in the same CIDR is
also removed. To stop this happening, the promote_secondaries flag
needs to be set on the interface.
Commit e5526cf added setting the promote_secondaries option on
VMAC interfaces, and stated that adding the option for non-VMAC
interfaces would be added later. This commit now adds a