vyos/vyos-build
1
0
Fork 0
mirror of https://github.com/vyos/vyos-build.git synced 2025-10-01 20:28:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

keepalived:T5402:Added patch with arp_ignore to 1 on IPv6 VMACs

Browse Source 
Added patch with commit '9ca8688' to pkg-keepalived 1:2.2.7-1
9ca8688c7f
Setting arp_ignore to 1 ensures that the VMAC interface does not respond
to ARP requests for IPv4 addresses not configured on the VMAC.
This commit is contained in:
aapostoliuk 2023-10-27 15:09:29 +03:00
parent f2614bf9dc
commit 86a9788070
4 changed files with 213 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
packages/keepalived/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
keepalived/

33
packages/keepalived/Jenkinsfile vendored Normal file
View File

@ -0,0 +1,33 @@
// Copyright (C) 2023 VyOS maintainers and contributors
//
// This program is free software; you can redistribute it and/or modify
// in order to easy exprort images built to "external" world
// it under the terms of the GNU General Public License version 2 or later as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
@NonCPS
// Using a version specifier library, use 'current' branch. The underscore (_)
// is not a typo! You need this underscore if the line immediately after the
// @Library annotation is not an import statement!
@Library('vyos-build@current')_
def package_name = 'keepalived'
def pkgList = [
['name': "${package_name}",
'scmCommit': 'debian/1%2.2.7-1',
'scmUrl': 'https://salsa.debian.org/debian/pkg-keepalived.git',
'buildCmd': 'sudo mk-build-deps --install --tool "apt-get --yes --no-install-recommends"; ../build.py'],
]
// Start package build using library function from https://github.com/vyos/vyos-build
buildPackage("${package_name}", pkgList, null, true, "**/packages/${package_name}/**")

50
packages/keepalived/build.py Executable file
View File

@ -0,0 +1,50 @@
#!/usr/bin/env python3
from pathlib import Path
from shutil import copy as copy_file
from subprocess import run
# copy patches
def apply_deb_patches() -> None:
"""Apply patches to sources directory
"""
patches_dir = Path('../patches')
current_dir: str = Path.cwd().as_posix()
if patches_dir.exists():
patches_list = list(patches_dir.iterdir())
patches_list.sort()
Path(f'{current_dir}/debian/patches').mkdir(parents=True, exist_ok=True)
series_file = Path(f'{current_dir}/debian/patches/series')
series_data = ''
for patch_file in patches_list:
print(f'Applying patch: {patch_file.name}')
copy_file(patch_file, f'{current_dir}/debian/patches/')
if series_file.exists():
series_data: str = series_file.read_text()
series_data = f'{series_data}\n{patch_file.name}'
series_file.write_text(series_data)
def build_package() -> bool:
"""Build a package
Returns:
bool: build status
"""
build_cmd: list[str] = ['dpkg-buildpackage', '-uc', '-us', '-tc', '-b']
build_status: int = run(build_cmd).returncode
if build_status:
return False
return True
# build a package
if __name__ == '__main__':
apply_deb_patches()
if not build_package():
exit(1)
exit()

129
packages/keepalived/patches/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch Normal file
View File

@ -0,0 +1,129 @@
From af4aa758c3512bec8233549e138b03741c5404f9 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Sat, 14 Oct 2023 15:37:19 +0100
Subject: [PATCH] vrrp: Set sysctl arp_ignore to 1 on IPv6 VMACs
Setting arp_ignore to 1 ensures that the VMAC interface does not respond
to ARP requests for IPv4 addresses not configured on the VMAC.
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
keepalived/include/vrrp_if_config.h | 2 +-
keepalived/vrrp/vrrp_if_config.c | 28 ++++++++++++++++++++--------
keepalived/vrrp/vrrp_vmac.c | 5 ++---
3 files changed, 23 insertions(+), 12 deletions(-)
diff --git a/keepalived/include/vrrp_if_config.h b/keepalived/include/vrrp_if_config.h
index 35465cd..c35e56e 100644
--- a/keepalived/include/vrrp_if_config.h
+++ b/keepalived/include/vrrp_if_config.h
@@ -34,7 +34,7 @@ extern void set_promote_secondaries(interface_t*);
extern void reset_promote_secondaries(interface_t*);
#ifdef _HAVE_VRRP_VMAC_
extern void restore_rp_filter(void);
-extern void set_interface_parameters(const interface_t*, interface_t*);
+extern void set_interface_parameters(const interface_t*, interface_t*, sa_family_t);
extern void reset_interface_parameters(interface_t*);
extern void link_set_ipv6(const interface_t*, bool);
#endif
diff --git a/keepalived/vrrp/vrrp_if_config.c b/keepalived/vrrp/vrrp_if_config.c
index cfce7e2..fbfd34c 100644
--- a/keepalived/vrrp/vrrp_if_config.c
+++ b/keepalived/vrrp/vrrp_if_config.c
@@ -81,6 +81,11 @@ static sysctl_opts_t vmac_sysctl[] = {
{ 0, 0}
};
+static sysctl_opts_t vmac_sysctl_6[] = {
+ { IPV4_DEVCONF_ARP_IGNORE, 1 },
+ { 0, 0}
+};
+
#endif
#endif
@@ -216,11 +221,14 @@ netlink_set_interface_flags(unsigned ifindex, const sysctl_opts_t *sys_opts)
#ifdef _HAVE_VRRP_VMAC_
static inline int
-netlink_set_interface_parameters(const interface_t *ifp, interface_t *base_ifp)
+netlink_set_interface_parameters(const interface_t *ifp, interface_t *base_ifp, sa_family_t family)
{
- if (netlink_set_interface_flags(ifp->ifindex, vmac_sysctl))
+ if (netlink_set_interface_flags(ifp->ifindex, family == AF_INET6 ? vmac_sysctl_6 : vmac_sysctl))
return -1;
+ if (family == AF_INET6)
+ return 0;
+
/* If the underlying interface is a MACVLAN that has been moved into
* a separate network namespace from the parent, we can't access the
* parent. */
@@ -271,9 +279,9 @@ netlink_reset_interface_parameters(const interface_t* ifp)
}
static inline void
-set_interface_parameters_devconf(const interface_t *ifp, interface_t *base_ifp)
+set_interface_parameters_devconf(const interface_t *ifp, interface_t *base_ifp, sa_family_t family)
{
- if (netlink_set_interface_parameters(ifp, base_ifp))
+ if (netlink_set_interface_parameters(ifp, base_ifp, family))
log_message(LOG_INFO, "Unable to set parameters for %s", ifp->ifname);
}
@@ -310,11 +318,15 @@ reset_promote_secondaries_devconf(interface_t *ifp)
#ifdef _HAVE_VRRP_VMAC_
static inline void
-set_interface_parameters_sysctl(const interface_t *ifp, interface_t *base_ifp)
+set_interface_parameters_sysctl(const interface_t *ifp, interface_t *base_ifp, sa_family_t family)
{
unsigned val;
set_sysctl("net/ipv4/conf", ifp->ifname, "arp_ignore", 1);
+
+ if (family == AF_INET6)
+ return;
+
set_sysctl("net/ipv4/conf", ifp->ifname, "accept_local", 1);
set_sysctl("net/ipv4/conf", ifp->ifname, "rp_filter", 0);
@@ -524,15 +536,15 @@ restore_rp_filter(void)
}
void
-set_interface_parameters(const interface_t *ifp, interface_t *base_ifp)
+set_interface_parameters(const interface_t *ifp, interface_t *base_ifp, sa_family_t family)
{
if (all_rp_filter == UINT_MAX)
clear_rp_filter();
#ifdef _HAVE_IPV4_DEVCONF_
- set_interface_parameters_devconf(ifp, base_ifp);
+ set_interface_parameters_devconf(ifp, base_ifp, family);
#else
- set_interface_parameters_sysctl(ifp, base_ifp);
+ set_interface_parameters_sysctl(ifp, base_ifp, family);
#endif
}
diff --git a/keepalived/vrrp/vrrp_vmac.c b/keepalived/vrrp/vrrp_vmac.c
index e5ff0e9..021953a 100644
--- a/keepalived/vrrp/vrrp_vmac.c
+++ b/keepalived/vrrp/vrrp_vmac.c
@@ -407,10 +407,9 @@ netlink_link_add_vmac(vrrp_t *vrrp, const interface_t *old_interface)
if (!ifp->ifindex)
return false;
- if (vrrp->family == AF_INET && create_interface) {
+ if (create_interface) {
/* Set the necessary kernel parameters to make macvlans work for us */
-// If this saves current base_ifp's settings, we need to be careful if multiple VMACs on same i/f
- set_interface_parameters(ifp, ifp->base_ifp);
+ set_interface_parameters(ifp, ifp->base_ifp, vrrp->family);
}
#ifdef _WITH_FIREWALL_
--
2.34.1