[PATCH] keepalived: Update to version 2.3.1

[Adolf Belka <adolf.belka@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 14921 bytes --]

- Update from version 2.2.8 to 2.3.1
- Update of rootfile not required
- Changelog
    2.3.1
	This is minutes release to quickly fix minor regression.
	Fixes
	    conf: fix secondary config file location when using –prefix=/usr Commit
	     42a746c - “configure: ${prefix} defaults to NONE which messes up
	     DEFAULT_CONFIG_FILE” broke the checking of whether a secondary default
	     config file location is required
    2.3.0
	This release brings improvements and fix some minor issues reported. Yearly
	 release.
	New
	    vrrp: For use_vmac and use_ipvlan, copy the group from the base interface.
	     It is useful in many instances to set up firewall rules based on
	     interface groups so that sets of interfaces may be aggregated by group and
	     matched with a single rule rather than by listing them all. Prior to this
	     change, when use_vmac or use_ipvlan is used, new interfaces are created
	     with the default group, which breaks this ability. Further complicating the
	     issue is that nftables resolves interface names to ifindex at load time.
	     This is problematic with keepalived’s interface creation, which usually
	     comes after the firewall loading, forcing the use of iifname, oifname
	     instead (similar to iptables -i, -o). By copying the group value, such
	     firewall rules can continue to work regardless of the use_vmac or
	     use_ipvlan settings, since packets may now arrive on, or be routed out
	     from, the new interfaces.
	    vrrp: Addd name option for use_vmac and use_ipvlan. This is to allow an
	     interface name of “bridge” etc.
	    vrrp: Add interface group option for VMACs and ipvlans. Now that the
	     interface group of a VMAC or ipvlan is set, by default, to match its parent
	     interface, this option now allows the group of the VMAC or ipvlan to be
	     explicitly configured and set.
	    ipvs: Add snmp_rs_stats_update_interval. This compliments
	     snmp_vs_stats_update_interval, and also real server stats are now only
	     fetched from the kernel when there is an SNMP request for them; i.e. VS
	     stats and RS stats are updated separately.
	    conf: Add global keyword use_symlink_paths. By default keepalived resolves
	     all symbolic links in path names of scripts to the real path. This commit
	     adds the use_symlink_paths option to maintain the symlinks in paths, so
	     that users can update symlinks in order to update the scripts being called.
	    doc: Add documentation for MH and TWOS schedulers.
	    global: Add per process gprof profiling.
	    systemd: Add KEEPALIVED_OPTION for non-root service file.
	    systemd: Add comment in non-root service file for old systemds.
	Improvements
	    vrrp: Remove extraneous log message for netlink interface message.
	    vrrp: Allow DBus to work with VRRP instances without configured interface.
	     keepalived uses “none” for the interface in the DBus path if a VRRP
	     instance has no configured interface. However, it was not checking
	     explicitly for “none” when a query was received. This commit now adds a
	     specific check.
	    vrrp: Allow specification of string used by DBus for no interface.
	    vrrp: check prefix length when checking if deleted address is a VIP. It is
	     possible, for example, to configure both 10.1.0.3/32 and 10.1.0.3/24 on the
	     same interface. When checking whether an address deleted from an interface
	     is one of our VIPs, we need to also check the prefix length.
	    vrrp: Set sysctl arp_ignore to 1 on IPv6 VMACs. Setting arp_ignore to 1
	     ensures that the VMAC interface does not respond to ARP requests for IPv4
	     addresses not configured on the VMAC.
	    vrrp: Go to fault state if fail to add IPv6 link-local address to VMAC. If
	     an IPv6 VRRP instance uses a VMAC, but adding a link-local address to the
	     interface fails, then the vrrp instance now transitions to fault state,
	     just as happens if the link-local address is removed after it has been added.
	    vrrp: Don’t send IPv6 advert from interface with no address. If an interface
	     has no IPv6 address, no advert can be sent. Rather that logging an error
	     when the send fails, simply don’t send the advert.
	    vrrp: Check interface for static routes if deleted. vrrp: Check interface
	     for static routes if deleted route_is_ours() checked the outgoing interface
	     for virtual routes but not for static routes. This commit now adds checking
	     of the outgoing interface for static routes, and now moves the code to
	     compare routes into a separate function used for both virtual and static
	     routes.
	    vrrp: remove logging on status output. A message is output to the log each
	     time the status is queried. This is not necessary and can therefore be
	     omitted.
	    vrrp: Use addattr32() for setting link group. Set link group for ipvlan
	     interfaces, just like for VMACs.
	    ipvs: ping check extension. use consistent ICMP id and fix sequence number
	     By keeping the sockets used for pings open, the ICMP id field now remains
	     the same for each echo request. The sequence number is now per ping check,
	     and is now sent in big endian order.
	    ipvs: Reduce logging of activating health checkers. Don’t log activating
	     checkers after a reload if they are already active.
	    ipvs: Remove checkers_queue. A configuration with 2277 virtual servers, with
	     a total of 37205 real servers with each real server having one checker was
	     taking 132 seconds to reload. This commit reduces the reload time to 0.24
	     seconds, a reduction of 99.8%! The problem was due to every real server
	     iterating through all checkers, 37205 * 37205 = 1,384,212,025 iterations,
	     not only once but several times. The code now maintains a list of checkers
	     for each real server. The disadvantage of this is that to iterate through
	     all checkers requires iterating through all virtual servers, and all their
	     real servers and then for each real server the list of checkers. If there
	     are relatively few checkers compared to real servers, this will take longer
	     than using the checkers_queue, but using a queue per real server is still
	     fast, and the only time the code iterates through all the checkers is at
	     startup/reload, other than dumping the configuration.
	    ipvs: don’t call protocol_to_index() unless using auto fwmarks.
	     protocol_to_index() must only be called when there is an index. This is
	     when the virtual server uses a virtual server group that is using auto
	     fwmarks.
	    ipvs: add set and alive status for sorry servers in keepalived_check.data.
	    ipvs: Reinstate non-failed real servers if remove sorry server. When there
	     is no sorry server, the quorum is not used, and real servers are only
	     removed if a checker fails. On the other hand if there is a sorry server,
	     if the number of alive real servers falls below the quorum, all non-failed
	     real servers are removed when the sorry server is added. If the sorry
	     server is remomed from the configuration, non-failed real servers need to
	     be reinstated.
	    ipvs: don’t remove sorry server if inhibit added but server is alive.
	    ipvs: inhibit extensions: If inhibit is changed on a failed real server,
	     add/remove it. If inhibit is added to inactive sorry server set weight 0.
	     If inhibit cleared for inactive sorry server, clear s_svr->set.
	    ipvs: Add snmp_vs_stats_update_interval for updating SNMP stats. The timer
	     for updating VS and RS stats for SNMP was hard coded to 5 seconds. This
	     commit still deffaults to 5 seconds but allows the timer to be configured.
	    ipvs: Misc SNMP updates and extensions. Don’t duplicate storage of 32 bit
	     SNMP stats. Use correct variable for returning 64 bit stats for SNMP. Add
	     counter64 options for 64 bit SNMP stats. Use SNMP variable3/4/7 instead of
	     variable8 where appropriate. streamline SNMP real server code when no sorry
	     server. Merge several SNMP functions that were doing nearly the same thing.
	     Streamline finding VS group entry for SNMP. Streamline finding RS for SNMP.
	     Streamline finding VS for SNMP. set var_len = 0 when returning an error to
	     SNMP. fix building with SNMP support without using netlink interface.
	    systemd: Change NotifyAccess to be main rather than all for non-root.
	    doc: Clarify documentation for “weight” in track_process. The default value
	     for weight should be 0, and not 1 as previously stated.
	    doc: update description for v3_checksum_as_v2.
	Fixes
	    vrrp: Stop link local VMAC address responging to neighbour solicit. When an
	     IPv6 VRRP instance using VMAC is in backup state, the link local address
	     configured on the VMAC interface is the same as the link local address on
	     the parent interface of the VMAC. This causes a problem with switches
	     learning the MAC address of the VMAC is now on the backup. This causes
	     packets meant to be sent to the master being sent to the backup. This
	     commit uses nftables/iptables to stop neighbour advertisements for the link
	     local address of the VMAC interface and its parent interface being sent
	     from the VMAC interface.
	    vrrp: fix global skip_check_adv_addr and strict_mode parsing.
	     skip_check_adv_addr and strict_mode take an option parameter, but
	     keepalived wasn’t parsing it, and assumed it was set on/true/yes.
	    vrrp: work around missing promiscuous netlink notifications. If the base
	     interface does not implement IFF_UNICAST_FLT, for example it is a bridge
	     interface, no netlink notification is sent by the kernel when promiscuity
	     is set on the base interface. The promiscuous state of the base interface
	     is correct in the kernel but it is in incorrect in daemons that listen to
	     the interface netlink messages (eg. DPDK). The issue is still there in
	     kernel 6.4.6. Force a notification by re-setting IFLA_GROUP for the base
	     interface.
	    vrrp: Fix specifying netlink_notify_msg for VMAC when name set. Trying to
	     specify a VMAC name as well as netlink_notify_msg did not work for use_vmac.
	    ipvs: fix issue in reload process when using virtual server groups. issue:
	     when using virtual server groups, remove vs entry in configure file and
	     then do reload, vs entry can not be removed. And add vs entry in configure
	     file and the do reload, rs with 0 port will be set. fix: in reload process
	     do the same action with ipvs_group_cmd. set rs port with vs port and update
	     live state
	    ipvs: add/remove sorry server of group server when reload. issue: when using
	     virtual server groups, if all rs down and sorry server up, at this time
	     remove/add vs entry in configure file and then do reload, vs entry can not
	     be removed. fix: add/remove sorry server same as normal rs when reload
	     server groups
	    check: if lost misc check child register checker agagin. issue: misc
	     check_child_thread timeout and remove child_pid form rb_data, timeout
	     callback of check_child_thread is not be called, if at this time misc
	     script done and exit, and child termination will do nothing because
	     child_pid was remove form rb_data. in this case timeou callback will not
	     register checker again, the checker will lost. fix: if lost misc check
	     child register checker again
	    lib: Stop setting MAGIC_PRESERVE_ATIME flag. On RedHat systems setting
	     MAGIC_PRESERVE_ATIME caused SELinux errors.
	    core: make startup/shutdown scripts work when not using –dont-fork.
	     check_start_stop_script_secure() checks that the parent process has not
	     changed while it is doing its checks, so we need to set the pid of the
	     parent process (main_pid) before calling the function. There is a further
	     complication that called getppid() too soon after a fork() with the parent
	     process exiting after the fork means that we don’t get the pid of the new
	     parent, so we need to loop until getppid() returns a diffweent pid.
	    core: initialise script structure in start_validate_reload_conf_child(). Due
	     to the path field not being set to NULL, it was attempting to exec a random
	     string when reload_check_config was configured.
	    systemd: Fix snmp option in non-root service file.

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 lfs/keepalived | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/lfs/keepalived b/lfs/keepalived
index fbb60a2ff..ed1ad87d3 100644
--- a/lfs/keepalived
+++ b/lfs/keepalived
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2023  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = A keepalive facility for Linux
 
-VER        = 2.2.8
+VER        = 2.3.1
 
 THISAPP    = keepalived-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = keepalived
-PAK_VER    = 15
+PAK_VER    = 16
 
 DEPS       =
 
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 3d8d738a0c4e6f00ea8dc3603813d21e52e259d301872f2db16c3373c3a034bedcf3f02e19d1b50855d90bbfece863e710d75a67e2d6dd057dfe451608a73fcb
+$(DL_FILE)_BLAKE2 = f4e0de6147f0a33d2d87f12da4dda014fa820ba3502fd8f92eaaa4a8e56d26ea4bb1902df5c7ee13e4b81336e3b237d1ddc8247e443ea351646259c9e1ddb90b
 
 install : $(TARGET)
 
@@ -81,8 +81,10 @@ $(subst %,%_BLAKE2,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc \
-		--with-kernel-dir=/usr
+	cd $(DIR_APP) && ./configure \
+				--prefix=/usr \
+				--sysconfdir=/etc \
+				--with-kernel-dir=/usr
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
 
-- 
2.46.0