From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] keepalived: Update to version 2.2.8 Date: Tue, 15 Aug 2023 14:13:00 +0200 Message-ID: <20230815121300.3492341-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4810558592546112130==" List-Id: --===============4810558592546112130== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - Update from version 2.2.7 to 2.2.8 - Update of rootfile not required - Changelog 2.2.8 31th May 2023 This release brings improvements and fix some minor issues reported. It add = some new VRRP and BFD features as well. New vrrp: Add support for Infiniband over IPv6. Github issue #2100 reported = that attempting to use IPv6 over Infinband was causing keepalive= d to segfault It turned out that vrrp_ndisc.c had a comment that it still= needed to be implemented, which we have now been able to do with someone= in a position to test it. With many thanks for Itel Levy of NVIDIA, Israe= l for reporting the issue and and testing the patch to confirm th= at it works. vrrp: Add no_virtual_ipaddress keyword. This keyword suppresses warnings= for no virtual ipaddresses configured and allows none to be con= figured when using VRRPv3. vrrp: Add =E2=80=93enable-nm configure option. =E2=80=93enable-nm adds s= upport for Keepalived telling NetworkManager not to manage VMAC interfaces the ke= epalived creates. Early versions of NM (i.e. at least up to v1.12, b= ut resolved at the latest by v1.18) would set the VMAC inerfaces as man= aged by NetworkManager, and then if the underlying interface went d= own, NM would down the VMAC interface and the VRRP instance would n= ever recover from fault state. vrrp: add v3_checksum_as_v2 configuration option. RFC 5798 (the VRRPv3 R= FC) states regarging the checksum: 5.2.8. Checksum The checksum field is used to detect data corruption in the VRRP message. The checksum is the 16-bit one=E2=80=99s co= mplement of the one=E2=80=99s complement sum of the entire VRRP message starting w= ith the version field and a =E2=80=9Cpseudo-header=E2=80=9D = as defined in Section 8.1 of [RFC2460]. The next header field in the =E2=80=9Cpse= udo-header=E2=80=9D should be set to 112 (decimal) for VRRP. For computing the che= cksum, the checksum field is set to zero. See RFC1071 for more = detail Some manufacturers (e.g. Cisco) interpret this to mea= n that the pseudo- header is not included in the checksum calcu= lation, since RFC2460 only defines a pseudo-header for IPv6. RFC37= 68 (the last VRRPv2 RFC) did not include a pseudo-header in the c= hecksum. However, keepalived has always included a pseudo-hea= der in the VRRPv3 IPv4 checksum, which is also consistent with = the default setting in Wireshark. In order to allow interoperati= on with Cisco routers, and possibly other manufacturers, the =E2=80=9Cv3_checksum_as_v2=E2=80=9D keyword, when co= nfigured in global_defs to set the default for all vrrp_instances, or in indivi= dual vrrp_instances, causes those vrrp_instances to exclu= de the pseudo- header from the checksum. The default action= of including the pseudo- header in the checksum remains unchanged. vrrp: Add option to revert to backup if thread timer expires. If the VRRP process is not scheduled for sufficiently long, another VRR= P instance may have taken over as master. For some users, minimising t= he number of master switches is desired, and so if nopreempt is configur= ed (if it is not configured the highest priority instance will take over= as master again), and if it is too long after a thread timer expires = before keepalived is scheduled to run so that another instance wil= l probably have taken over as master, we will just revert to backup st= ate rather than sending further adverts. The keyword that configures t= his is thread_timer_expired. vrrp: Add optional new JSON format including track_process details. The original JSON format did not allow for adding additional ob= ject types other than the original vrrp instances. This commit adds a = json_version 2, which puts the vrrp instances in a named array and adds = an array of the track_processes. core: add option to check for malloc=E2=80=99s etc returning NULL. Confi= gure option =E2=80=93enable-malloc-check will cause the returned value = of malloc/realloc/strdup/strndup to be checked to ensure that = they do not return NULL. If any such call does return NULL a message wi= ll be logged and the process will terminate. Unless sysctl vm.overcommit= _memory =3D=3D 2 (default is usually 0), or the malloc would cause the proce= ss virtual address space to exceed the limit, malloc etc will not retu= rn NULL. It is only once there is a write into the memory block that th= e memory is actually allocated, and if there is insufficient memory (in= cluding swap space), then the OOM killer will step in to either kill kee= palived, or kill another process. Consequently checking for NULL being = returned is generally a waste of time and program size. ipvs: Add option to check OpenSSL mallocs/frees for validity. ipvs: Add option to let SSL_GET shutdown comply with TLS spec. bfd: Add multihop option to conform with RFC5883. RFCs 5881 and 5883 sta= te that port 3784 is used for single hop BFD and port 4784 is u= sed for multihop. The commit adds configuration option =E2=80=9Cmult= ihop=E2=80=9D to use port 4784 rather than port 3784. Improvements vrrp: Don=E2=80=99t adjust vrrp receive timeout during delayed start. Th= e timeout for a vrrp instance to become master should not be changed if a= n advert is received during the delayed start - the timeout is set to i= nclude the delayed start and the (3 to 4) * advert int delay to take o= ver as master. vrrp: Remove redundant checks of snmp_option. vrrp: deley freeing vrrp instances until all references are freed. Track= ers etc have lists for vrrp instances that are tracking them. T= herefore the trackers, and their references, must be freed before the vr= rp instances are freed. vrrp: restore the vmac ipv6 link-local after flapping. The user is not supposed to shutdown a vmac interface created by keepalived= . However, it can mistakenly happen. When the link is re-established, = the link-local has disappear (the kernel removes all IPv6 addre= sses on link down except if keep_addr_on_down sysctl is on) and sending = VRRP packet is no nore possible. Restore the IPv6 Link-Local after a VM= AC interface flapping. A Link-Local is not set when the VRRP packets are= sent from the base interface (vmac-xmit-base). Note that the IPv6 Vir= tual Addresses are also removed on link down which is the desire= d behavior. Enabling keep_addr_on_down sysctl would keep the link-local= without this patch but would break this behavior. doc: Man pages and documentation updates. Add explanation of why unicast VRRPv3 checksum changed. configure: Add systemd auto option. fix default config file with ${prefi= x} use. use back-ticks rather than $(=E2=80=A6) for commm= ands. Improve checking for ${prefix}. ipvs: Don=E2=80=99t report HTTP_CHECK when it is an SSL_CHECK. ipvs: Work around OpenSSL memory leak in versions 3.0.0 to 3.0.4. The me= mory leak was observed with OpenSSL 3.0.1, and it is resolved by= version 3.0.5. Also the leak is not observed in v1.1.1n. ipvs: Simplify SSL_GET handling code. Fixes rpm: Fix RPM spec file to use kmod-lib and kmod-devel rather than libkmo= d. vrrp: Fix NFT support to properly handle build with L4PROTO support. vrrp: Resolve segfault when enable_snmp_vrrp is added at a reload. vrrp: workaround GCC LTO bug causing incorrect VRRPv3 checksum. The prob= lem was observed with GCC versions 11.2, 11.3.1 and 12.1.1, on = Ubuntu 22.04, Fedora 34, Fedora 36 and Fedora 37 (Rawhide). The problem d= id not occur when not using LTO, nor when using clang, even with LTO. vrrp: fix ipv6 vrrp in fault state because no ipv4 address. Setting an I= Pv6 VRRP virtual address on an interface that has no IPv4 addre= ss results in a persistent FAULT state. core: Fix segfault when receive netlink message for static default route= added. build: Fix order of -lssl -lcrypto. This needs to be correct in order to= be able to use static library linking on Alpine Linux. build: Fix build with libressl. SSL_set0_rbio is provided by libressl si= nce version 3.4.0 and libressl/openbsd(a)c99939f but SSL_set0_= wbio is not provided resulting in build failure. build: Fix out of tree builds. Fix build error with =E2=80=93disable-tra= ck-process. build: Fix building with =E2=80=93disable-vmac. build: Fix compiler warning when building without VRRP authentication. parser: Fix segfault caused by extra =E2=80=98}=E2=80=99 and other parse= r fixes. If there was a configuration error in a block, e.g. a vrrp_instance, k= eepalived would apply the configuration in the rest of the block to= the previous object of that type, e.g. the previous vrrp inst= ance. If there had been no previous instance, keepalived would pro= bably segfault. This commit changes the way the parser works. A= new instance of an object, e.g. a VRRP instance or a virtual = server, is only added to the list of those objects once the configur= ation of that object is complete. In particular it no longer appli= es the configuration to the last entry on the list of the releva= nt object type, but keeps a point to the object currently being con= figured. parser: Optimise fixing recalculating updated line length. ipvs: Fix memory leaks when configuration is repeated. Use last entry if duplicate definition. lib: Fix malloc check code for CPUs without unaligned memory access. Signed-off-by: Adolf Belka --- lfs/keepalived | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/keepalived b/lfs/keepalived index 22bd22dd3..fbb60a2ff 100644 --- a/lfs/keepalived +++ b/lfs/keepalived @@ -26,7 +26,7 @@ include Config =20 SUMMARY =3D A keepalive facility for Linux =20 -VER =3D 2.2.7 +VER =3D 2.2.8 =20 THISAPP =3D keepalived-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) PROG =3D keepalived -PAK_VER =3D 14 +PAK_VER =3D 15 =20 DEPS =3D =20 @@ -48,7 +48,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_BLAKE2 =3D 62c4534eb1eebeac596b628a1fa5fb4069498d532fdeff0dc51afb= c71e90125bff7fcffb897da3fd34765c64f43d7b04dcf184169b1bc2cf33413e109f9f5cdc +$(DL_FILE)_BLAKE2 =3D 3d8d738a0c4e6f00ea8dc3603813d21e52e259d301872f2db16c33= 73c3a034bedcf3f02e19d1b50855d90bbfece863e710d75a67e2d6dd057dfe451608a73fcb =20 install : $(TARGET) =20 --=20 2.41.0 --===============4810558592546112130==--