forked from acassen/keepalived
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathChangeLog
8066 lines (7933 loc) · 443 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
2019-05-03 Alexandre Cassen <acassen@keepalived.org>
* keepalived-2.0.16
* Add log_unknown_vrids keyword.
Commit 21e6f5f added logging when a VRRP packet was received on an
interface and the VRID in the advert was not configured on that
interface.
Due to valid uses of keepalived having a VRRP instance on an
interface, but there being other, independent, VRRP instances with
different VRIDs on the same interface, this patch only enables logging
of unknown VRIDs if it is specifically configured.
* Stop segfault when reload and using -x option.
* Fix compilation error found by Travis-CI.
* Fix a couple of typos.
* Ensure check command line when needed for track process.
* Check if comm really changed when get PROC_EVENT_COMM_CHANGE.
* Fix debounce delay handling for track_process.
* Optimise add_process().
* Remove processes no longer being monitored.
* Optimise check_process().
* Ignore process threads for track_process.
* Allow matching of process parameters in track_process
This additional functionality was requested in issue #1190.
* Allow separate delay timers for fork and process exit in
track_process.
* Add quorum_max for track_process.
This allows track_process to go to fault state if more than a
specified number of instances of a process are running. In particular
it can go to fault state if more than one instance is running, and
also if any instance of a process is running.
* Add configuring process name.
With up to 4 processes running all named keepalived, it can be
difficult to know which is which. The commit adds the option to
allow process name to be set independantly for each process.
* Handle macvlans/macvtaps being moved into different namespace from parent
If a macvlan or macvtap interface is moved into a different namespace from
its parent, and the interface is in the namespace in which keepalived is
running, keepalived is unable to get information about, or configure, the
parent interface. In this case, treat the macvlan/macvtap interface as though
it doesn't have a parent interface.
There are a couple of consequences of this in this situation:
1) If a vrrp instance is configured with use_vmac and its configured interface
is such a macvlan/macvtap interface, keepalived cannot ensure that the
arp_ignore and arp_filter settings are correct on the parent
2) keepalived cannot check that there a not duplicate VRIDs being used on the
interface.
* Typo writing word error fix.
* Add vrrp instance priority change notifications on FIFOs only.
Issue #1213 requested notification of vrrp instance priority changes,
and this commit implements that with new FIFO messages:
INSTANCE "VI_0" MASTER_PRIORITY 220
INSTANCE "VI_0" BACKUP_PRIORITY 254
This has been implemented via notify FIFOs only, since the order of
processing of scripts is indeterminate if events happen quickly in
succession, potentially causing the last processed priority by a
script not to be the lastest priority, and using SMTP notification
would be ridiculous.
* Allow user and group ownership of FIFOs to be configured.
* Remove extraneous debugging message from process_name commit
Commit 4ad6d11 - "Add configuring process name" accidentally left
a debugging log message in the code. This commit removes it.
* Fix FREE error if tracked process has no parameters.
* Fix track processes when reloading.
* Fix route add/delete on reload if only change via address
If a virtual_iproute
src 100.100.100.100 2.2.2.2/32 via 100.100.100.2 dev eth0
is changed to
src 100.100.100.100 2.2.2.2/32 via 100.100.100.1 dev eth0
on a reload the route didn't get updated. The reason is that the
via address wasn't used in the comparison of routes, so keepalived
didn't detect that it had changed.
* Define TASK_COMM_LEN rather than use numbers in code.
* Fix promote_secondaries.
* Add snmpd.service to keepalived.service if SNMP enabled.
* Add issue templates for github.
* Make utils.c function parameters const where appropriate.
* Add missing info to check process dump file.
* Make ipvs_talk() error message more meaningful
The error message used to just output the IPVS command number, now
the name of the command is reported too.
* Make more use of LIST_FOREACH in ipwrapper.c.
* Change VS_ISEQ etc to be functions and correct them.
* Resolve removing virtual servers in virtual server groups after
reloading.
* Update NOTE_vrrp_vmac.txt re sysctl settings.
* Ignore base interfaces of macvlans if in a different namespace.
* Don't lose sin_addr_l and sin6_addr_l lists from interface when recreate
Issue #1232 identified that keepalived segfaulted when an interface was
recreated. This commit resolves the problem of the address lists being
lost.
* Fix commit 128bfe6 for pre v4.0 kernels
Commit 128bfe6 - "Ignore base interfaces of macvlans if in a different
namespace" added using IFLA_LINK_NETNSID to detect if the parent of an
interface was in a different namespace. Unfortunately that was only
introduced in Linux v4.0, so don't attempt to use it if it is not
defined.
For kernels older than v4.0 if a macvlan interface's parent is in
another network namespace, but the ifindex of the parent interface also
exists in the namespace in which keepalived is running, then keepalived
will believe the parent of the macvlan is the wrong interface.
* Fix commit 3207f5c - IFLA_LINK_NETNSID is not #define'd
This fixes commit 3207f5c - "Fix commit 128bfe6 for pre v4.0 kernels".
A configure test is needed to check for IFLA_LINK_NETNSID.
* Further fixes/improvements for MACVLAN parents in different
namespaces.
* allow to set zero weight for real server.
* Add comments re needing to enable protocol 112 in an AWS security
group.
* Check if base i/f of a residual macvlan is in correct namespace.
* Stop segfault if using DBus and have invalid VRRP configuration.
If a VRRP instance was removed by vrrp_complete_init() it was causing
a segfault in the DBus code. The commit moves the initialisation of
DBus until after the validity of the VRRP instances has been checked.
* Handle DBus process properly when reloading.
DBus may change from being enabled to disabled or vice versa and
the code didn't handle that.
* Close DBus pipes when stop using DBus.
* Add some more LIST_FOREACH to DBus code.
* Move a g_free() to after last use of the freed string in vrrp_dbus.
* Fix error in man page.
* Handle network namespace name properly when reloading.
* Don't call g_hash_table_remove() when using g_hash_table_foreach_remove()
g_hash_table_foreach_remove() removes each object from the hash table,
so calling g_hash_table_remove() as well made it not work properly.
* Resolve various aspects of reloading when also using DBus.
1. Add ability for DBus to be enabled and disabled at reload
2. Correctly handle vrrp_instance name change for matching interface/
family/VRID.
3. Correct handling of interface/family/VRID change for a vrrp_instance
with the same name.
* Resolve segfault when a vrrp_instance has no interface specified.
* Fix sending priority 0 adverts after reload for deleted vrrp
instances.
During a reload, vrrp_dispatcher_release() was called prior to
reloading the configuration, and it closed all the vrrp send/receive
sockets. However it isn't until after the reload that it is known which
vrrp instances no longer exist, and clear_diff_vrrp() attempted to send 0
priority adverts for those instances. Since the sockets had already been
closed, the adverts could not be sent. Worse, the socket_t structures had
been released, but the released memory was accessed in attempting to send
the adverts.
This commit delays calling vrrp_dispatcher_release() until after the new
configuration has been reloaded, and it sends 0 priority adverts before
all the old sockets are closed. Following this new sockets are opened.
It would be possible to make the code more efficient and retain the sockets
that still need to be used, rather than closing them and opening new ones,
but that is for another commit.
* Update some comments in vrrp_snmp.c.
* Use structure initialisation to clear struct, rather than memset.
* Fix logging if receive EPOLLHUP, EPOLLERR and add for EPOLLRDHUP.
* Add support for network timestamp debugging.
* Check return code from recvfrom() before other values for
track_process.
* Use IPV6_RECVPKTINFO rather than IPV6_RECVHOPLIMIT when check
multicast.
* Ensure virtual servers are properly removed when reloading.
Pull request #1246 provided a patch to resolve the issue of virtual
servers in a virtual server group that are deleted from the virtual
server group on a reload weren't being removed from the IPVS
configuration. However, the patch didn't quite work with the current
HEAD of the master branch.
This commit incorporates that patch provided and makes the necessary
adjustments for it to work correctly.
* Cosmetic changes to IPVS code.
* Make clear the IPv6 instances use VRRP version 3.
* Delete redundant code.
* Update comments in vrrp_nftables.c.
* Update for gcc v9
Detect if -Wchkp is no longer supported, and fix a -Wstrict-overflow
warning in write_backtrace().
* Add additional compiler warnings available in gcc verion 9.
2019-04-04 Alexandre Cassen <acassen@keepalived.org>
* keepalived-2.0.15
* Fix uninitialised variable.
* Fix rpmbuild on CentOS7, and rely on auto-requires.
* Add option to flush lvs on shutdown.
Currently all known virtual servers and their real servers are
removed one at a time at shutdown. With large configurations on
a busy system, this can take some time.
Add an option just like the existing 'lvs_flush' which operates
on shutdown. Typical environments with a single keepalived instance
can take advantage of this option to achieve a faster shutdown or
restart cycle.
* Make alpha mode checkers on new real servers start down on reload.
Patch #1180 identified that new real servers with alpha mode checkers
were being added online immediately, and if the checker then failed
were being removed. This commit makes real servers that didn't exist
before the reload start in down state if they have alpha mode checkers.
* Remove duplicate config dump entry.
* Make new real servers at reload start down if have alpha mode
checkers.
* Close checker and smtp_alert sockets on reload.
Issue #1177 identified that sockets were being left open (lost) after
a reload. It transpired that these were sockets opened by TCP_CHECK,
HTTP_GET, SSL_GET, DNS_CHECK and SMTP_CHECK checkers, and by smtp_alerts
in the process of being sent.
This commit adds an extra parameter to thread_add_read() and
thread_add_write() to allow indicating that the scheduler should close
the socket when destroying threads.
* Send vrrp group backup notifies at startup.
* Make inhibit_on_failure be inherited by real server from virtual
server.
* Allow real and sorry servers to be configured with port 0
This is to maintain backwards compatibility with keepalived prior
to commit d87f07c - "Ensure always check return from inet_stosockaddr
when parsing config".
The proper way to configure this is to omit the port, which requires
the next commit.
* Don't setup IPVS config with real and virtual servers ports
different.
If the real server is using DR or TUN, the port of the real server must
be the same as the port of the virtual server. This commit uses the
virtual server port for the real server when configuring IPVS.
* Log warnings if real server and virtual server ports don't match
This commit adds logging warnings if virtual and real server ports,
when using TUN or DR, don't match.
It also sets the real server ports to be the same as the virtual server
ports. Although listing the IPVS configuration with ipvsadm will look
different, the kernel ignored the port of a real server when using DR
or TUN, so the behaviour isn't changed, but when looking at the
configuration it now shows what is actually happening.
* Fix warning when protocol specified for virtual server with fwmark.
* Add log message that nb_get_retry is deprecated.
* Fix whitespace in configure.ac.
* Fix configure error when systemd not installed
configure was trying to execute
pkg-config --variable=systemdsystemunitdir systemd
even if systemd was not available.
This commit makes configure only execute the above if it has determined
that systemd is the correct init package to use.
* Correct references to RFC6527 (VRRPv3 SNMP RFC).
* nsure checker->has_run is always set once a checker has run.
* Fix some indentation in configure.ac.
* Update fopen_safe() to open temporary file in destination directory
rename() in fopen_safe() was failing if the file being created
was not on the same filesystem as /tmp.
* Add ${_RANDOM} configuration keyword.
It might seem strange to introduce random elements to configuration
files, but it can be useful for testing.
* Fix using ~SEQ() in multiline configuration definitions.
* Make blank lines terminate a multiline definition.
* Minor updates for lvs_flush_on_stop.
* Add option to skip deleting real servers on shutdown or reload
If a virtual server is removed, the kernel will remove its real servers,
so keepalived doesn't explicitly need to do so.
The lvs_flush_onstop option removes all LVS configuration, whereas this
new option will only remove the virtual servers managed by keepalived.
* Correct error message re checker_log_all_failures.
* Fix syntax error in configure.ac.
* Fix track_process initialisation for processes with PIDs starting 9.
* Remove debugging log message.
* Remove inappropriate function const attributes
They were causing iptables/ipsets not to be initialised.
* Stop warning: function might be candidate for attribute ‘const’
Depending on what configure options are selected, gcc can output
the above warning for initialise_debug_options().
This commit ensures that the warning is not produced.
* Enable strict-config-checks option in keepalived.spec RPM file.
* vrrp: relax attribute 'const' warning at iptables helpers.
* Propagate libm to KA_LIBS.
* Fix building on Alpine Linux.
Alpine (musl) doesn't have a definition of __GNU_PREREQ, so create a
dummy definition.
2019-03-24 Alexandre Cassen <acassen@keepalived.org>
* keepalived-2.0.14
* Add compiler warning -Wfloat-conversion and fix new warnings.
It was discovered that passing 0.000001 as a parameter specified
as uint32_t to a function did not generate any warning of type
mismatch, or loss of precision.
This commit adds -Wfloat-conversion and fixes 3 instances of new
warnings that were generated.
* For non systemd enviroment, it occurs syntax error 'fi'.
To avoid syntax error, modify keepalived.spec.in.
* When uninstall keepalived with init upstart, stop keepalived process.
* Fix type re LOG_INGO should be LOG_INFO * 6git stash --cached.
The code was actualy in a #ifdef INCLUDE_UNUSED_CODE block, and
so isn't currently compiled.
* Register missing thread function for thread debugging.
* Fix reutrn value of notify_script_compare misusing issue.
* Fix typo in keepalived.conf man page re BFD min_rx.
* Fix segfault when bfd process reloads config.
Issue #1145 reported the bdf process was segfaulting when reloading.
The bfd process was freeing and allocating a new thread_master_t
when reloading, which doesn't work. This commit changes the bfd
process to clean and reinitialise the thread_master_t.
* Fix segfault in handle_proc_ev().
On Linux 3.10 the ack bit can be set in a connector message, and
the CPU number is set to UINT32_MAX. This commit skips acks, and
also checks that CPU number is within range of the number of CPUs
on the system.
* Fix OpenSSL init failure with OpenSSL v1.1.1.
OpenSSL v1.1.1, but not v1.1.0h or v1.1.1b failed in SSL_CTX_new()
if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) had previously
been called.
This commit doesn't call OPENSSL_init_crypto() if doing so causes
SSL_CTX_new() to fail.
* Remove all references to libnfnetlink.
Commit 2899da6 (Stop using linbl for mcast group membership and
setting rx buf sizes) stopped using libnfnetlink, but INSTALL and
keepalived.spec.in were not updated accordingly.
* Fix genhash re OPENSSL_init_crypto bug and improve configure.ac.
Commit fe6d6ac (Fix OpenSSL init failure with OpenSSL v1.1.1) didn't
update the identical code in genhash/ssl.c. Also, an improvement for
the test in configure.ac was suggested.
* Fix log output when real server removed.
FMT_VS() and FMT_RS() both call inet_sockaddrtotrio which uses a
static buffer to return the formatted string, but since FMT_VS(),
wheich simply calls format_vs() copies the returned string to its
own static buffer, if FMT_VS() was called before FMT_RS() then
the returned strings from both could be used.
The problem occurs when both FMT_VS() and FMT_RS() are used as
parameters to log_message() (or printf etc). It appeared to work
fine on x86_64, but was writing the same IP address for both the
real server and virtual server on ARM architectures. This is due
to the compiler evaluating parameters to the log_message() function
call in a different order on the different architectures.
This commit adds inet_sockaddrtotrio_r() which allows the output
to be in a buffer specified by the caller, and so FMT_VS() and
FMT_RS() can now be called in either order without one overwriting
a buffer used by the other.
* Streamline some string formatting with FMT_RS() and FMR_VS().
Following commit 9fe353d (Fix log output when real server removed)
some code can be streamlined now that the order of calling FMT_VS()
and FMT_RS() does not matter.
* Replace FMT_HTTP_RS(), FMT_TCP_RS() and FMT_DNS_RS() with FMT_CHK().
They were all simply defined to be FMT_CHK() so just replace them
with that. This made it much simpler to find all used of FMT_CHK().
* Fix building with gcc 4.4.7 (Centos 6.5).
gcc v4.4.7 doesn't support -Wfloat-conversion, so check for it at
configure time.
* Add dumping checker config/status when receive SIGUSR1.
* Don't put alpha mode checkers into failed state at reload
If a new checker is added at a reload, unless the real server aleady
has failed checkers, then ignore the alpha mode of the checker. This
means that the real server, if up, won't be taken down and then brought
back up again almost straight away. If the real server already has
failed checkers, then setting an alpha mode checker down initially
won't take down the real server, so we can allow the alpha mode setting
to apply.
* Handle alpha mode checkers initial failure at startup better.
* Fix compile failure discovered by Travis-CI.
* Fix calling syslog when not using signalfd().
Pull request #1149 identified that syslog is AS-Unsafe (see signal-safety
man page), and that therefore signals should be blocked when calling it.
This commit blocks signals when calling syslog()/vsyslog() when signalfd()
is not being used.
* Rationalise function attributes.
* Fix enable-optimise configure option.
* Use AS_HELP_STRING for all options in configure.ac.
* Streamline genhash -h option.
* Make genhash -v version match keepalived.
* Fix config check of virtual server quorum against weights of real
servers.
* Fix some configure tested checks for OPENSSL_init_crypto.
* Add infrastructure for adding additional compiler warnings.
* Add standard and extra compiler warnings.
* Add and resolve missing-declarations and missing-prototypes warnings
Approximately 16 additional functions are now declared static.
* Add and resolve old-style-definitions warnings
* Add and resolve redundant-decls warnings
* Add and resolve jump-misses-init warnings
* Add and resolve shadow warnings
* Add and resolve unsuffixed-float-constants warnings
* Add and resolve suggest-attribute=const warnings
* Add and resolve suggest-attribute=format warnings
* Add and resolve suggest-attribute=malloc warnings
* Add and resolve suggest-attribute=noreturn warnings
* Add and resolve suggest-attribute=pure warnings
* Add and resolve unused-macros warnings
* Add and resolve null-dereference warnings
* Add and resolve float-equal warnings
* Add and resolve stack-protector warnings
* Add and resolve strict-overflow=4 warnings
* Add and resolve pointer-arith warnings
This particularly includes adding a number of bytes to a void *.
* Add and resolve cast-qual warnings
* Resolve additional warnings identified on Centos 6.5/gcc 4.4.7
* Remove static from zalloc()
* Fix some compiler warnings on Ubuntu Xenial, and add comments re
others.
* Rename LIST parameters to lst in list_head.h to avoid upper case.
* Fix real server checkers moving from failed to OK on reload.
* add rs judgement in migrate_checkers.
* Detect connection failure in genhash and exit rather than loop.
* Add another function pure attribute.
* Fix sending notifies for vrrp instances at startup when in sync group
Issue #1155 idenfified that notify scripts for vrrp instance transition
to backup state when keepalived started up were not being sent if
the vrrp instance was in a sync group. It was also the case that SNMP
traps, SMTP alerts and FIFO notifies were not being sent either.
This commit make keepalived send the initial notifies when the vrrp
instance is in a sync group.
* Fix building keepalived RPM on Fedora 26.
For some reason -fPIC is needed when testing for the presence of
setns().
* Add vrrp_startup_delay configuration option.
Some systems that start keepalived at boot time need to delay the
startup of the vrrp instances, due to network interfaces taking
time to properly come up. This commit adds a global configuration
option vrrp_startup_delay that delays the vrrp instances starting
up, for the specified number of seconds.
* Handle checkers properly when reload immediately after startup.
* Streamline some of the SMTP checker code.
* Create separate checker for each host in SMTP_CHECK block
Having multiple host entries in an SMTP_CHECK block is deprecated.
This commit streamlines the SMTP_CHECK code by creating a separate
SMTP checker for each host declared in the SMTP_CHECK block, so that
apart from parsing the configuration, the code no longer handles
multiple hosts per checker.
The support for parsing configuration with multiple hosts is only
enabled if WITH_HOST_ENTRIES is defined in check_smtp.c. It is
currently enabled, but when support for multiple hosts in the
SMTP_CHECK block is finally removed, it will simply be a matter of
deleting all code in the WITH_HOST_ENTRIES conditional blocks.
* Make checker fail if ENETUNREACH returned by connect().
The connect() call can return some immediate errors such as ENETUNREACH.
These were not being treated as a failure of the checker, since the code
used to assume that any non success return by connect() meant that the
connection was in progress.
keepalived will now treat ENETUNREACH, EHOSTUNREACH, ECONNREFUSED,
EHOSTDOWN, ENETDOWN, ECONNRESET, ECONNABORTED, ETIMEDOUT, when returned
by connect(), as meaning that the checker has failed.
* Don't set SO_LINGER with a timeout of 0
SO_LINGER with a timeout of 0 causes a TCP connection to be reset
rather than cleanly closed. Instead of specifying a timeout of 0,
use 5 seconds, so that there is an orderly shutdown of the TCP
connection, but the close socket doesn't remain in TIMED_WAIT state
for more than a short time.
* nftables: fix build with kernel lower than 4.1.
* Remove dead code & cosmectics.
Remove code marked as UNUSED where things simply go nowhere even if
define is set. We keep for the moment UNUSED code related to debug
helpers used during coding process.
2019-02-19 Alexandre Cassen <acassen@keepalived.org>
* keepalived-2.0.13
* Add BFD build option to keepalived.spec rpm file
Issue #1114 identified that the keepalived.spec file was not being
generated to build BFD support even if keepalived had been configured
to support it.
* Copy tarball to rpmbuild/SOURCES when building in place
It seems that even when building in place, rpmbuild expects the
tarball to be in the rpmbuild/SOURCES directory.
* Fix configure check for __always_inline
* Handle interface MAC addresses changing
When an interface is added to a bond interface, if it is the first
interface added, the MAC address of the bond interface is changed
to the MAC address of the added interface. When subsequent interfaces
are added, their MAC addresses are changed to that of the bond
interface.
Issue #1112 identified that if a bond interface is deleted and
recreated, the gratuitous ARPs were sent with the wrong source MAC
address.
This commit now updates interface MAC addresses from the netlink
RTM_NEWLINK messages, so that the correct MAC address is always
used.
* Minor tidying up of opening gratuitous ARP socket.
* Streamline setting SOCK_NONBLOCK on vrrp sockets.
* Use netlink reported hardware address length for unsolicited NAs
ETH_ALEN is correct for Ethernet type interaces, but is not right
for Infiniband interfaces.
* Minor tidying up of opening gratuitous NA socket.
* Make gratuitous ARP/NA sockets non blocking
keepalived shouldn't block when sending gratutious ARP/NA messages.
It is better to lose the messages than for keepalived to block, so
set the sockets non blocking.
* Use netlink provided broadcast address for gratuitous ARP
If an interface has a non-standard broadcast address, we should
honour it.
* Fix building on pre 3.10 kernels re track_process
Issue #1119 reported that keepalived wouldn't build on CentOS 6.
Various PROC_EVENT_* declarations were assumed to exist, some of which
were not introduced until Linux v3.10. Most of them are not needed, but
PROC_EVENT_COMM is used by the track_process code.
This commit now checks for the existence of the PROC_EVENT_* declarations,
but since keepalived uses PROC_EVENT_COMM, track_process is not supported
prior to Linux v3.2.
* Make track_process work prior to Linux 3.2, but with limitations
Prior to Linux 3.2 the PROC_EVENT_COMM event did not exist, which
means that keepalived is unable to detect changes to process name
(/proc/PID/comm) prior to Linux 3.2. most processes do not change
their process name, and so using track_process prior to Linux 3.2
is safe so long as the monitored processes are known not to change
their process name.
* Stop configure failing when nftables is not supported.
* Streamline socket use with linkbeat.
Previously the socket used for ioctls was opened and closed twice per
poll if using MII or ETHTOOL polling, and once per poll if using ioctl
polling. This commit opens the socket once at startup, uses that socket
for all linkbeat polls, and closes it on termination.
* Enable linkbeat polling to work with dynamic interfaces.
* Add linkbeat_interfaces configuration block
It was not possible to indicate that an interface that wasn't used
as the interface of a vrrp instance, but was used either as a track
interface, or for virtual/static ip addresses or routes should use
linkbeat. This commit adds that capability.
* Add ability to specify linkbeat type in linkbeat_interfaces block.
* Add --disable-linkbeat configure option
Does anyone use linkbeat anymore? This commit enables keepalived to
be build without the linkbeat code.
* Don't remove link local IPv6 address from VMAC that isn't keepalived's
If IFLA_INET6_ADDR_GEN_MODE isn't supported and a macvlan interface
already had a (non-default) link local addresss and the link local
address that matched the interface's MAC address was added, keepalived
was removing it as soon as it was added. This commit stop keepalived
removing the address when we shouldn't.
* Set configure init type correctly in keepalived.spec file.
* Fix handling of VMACs with multiple reloads
If a configuration is loaded that has a VRRP instance using a VMAC,
then the configuration is updated to remove that VRRP instance and
keepalived reloads its configuration, then the configuration is
updated again to reinstate the VRRP instance and the configuration
is again reloaded, keepalived thought the VMAC interface still
existed, whereas it was deleted following the first reload.
This commit ensures that keepalived properly detects whether an
interface exists following a reload.
* Remember more than one interface local address per interface
Keepalived needs a local address for each interface it sends adverts
on. If the address keepalived is using is deleted and another address
is configured on the interface, then keepalived should start using
that address. To do this, a list of configured address on each
interfaces needs to be maintained.
* Don't consider VIPs as local addresses when restart after crash
Keepalived maintains a list of addresses per interface that can be
used as source adddresses for adverts. To build the list, keepalived
reads the addresses configured on interfaces when it starts. However,
if keepalived crashed it will have left VIPs configured on interfaces,
and we don't want to use them as advert source addresses.
This commit makes keepalived compare the addresses on interfaces
to VIPs, and ignores any addresses that are VIPs.
* Fix removing left over VIPs at startup.
* Use read_timer() when parsing config where appropriate.
* Allow fractional warmup, delay_loop and delay_before_retry for checkers
To shorten the real server monitoring interval, make it possible to specify
decimal value for following items:
warmup
delay_loop
delay_before_retry
* Update connect_timeout configuration options
Based on the patch submitted by tamu.0.0.tamu@gmail.com this patch
allows setting the connect_timeout to a resolution of micro-seconds.
The patch also adds the ability to set a default value at the virtual
server and real server levels.
* Fix unused variable warning when building only with RFC compliant
SNMP.
* It enable to set zero value as mintime for delay_loop and connect_timeout.
* Add option not to check for EINTR if using signalfd()
If keepalived is using signalfd(), there are no asynchronous signal
handlers, and therefore EINTR cannot be returned.
Currently the check for EINTR is enabled by default, and configure
option --disable-eintr-debug disables the check, while
--enable-eintr-debug enables writing log entries if EINTR is returned.
Once sufficient testing has been performed, the default will be
changed not to test for EINTR if signalfd() is supported.
* Make checking for EAGAIN/EWOULDBLOCK consistent
The code in some places checked errno for EAGAIN and EWOULDBLOCK
and in other places only checked EAGAIN. On Linux EAGAIN == EWOULDBLOCK,
so the check is not necessary, but EAGAIN is not guaranteed to be the
same value as EWOULDBLOCK, so define check_EAGAIN that only checks EAGAIN
if they are the same value, but checks both if they are different.
* Ensure default connection timeout for smtp checker hosts set.
* Set default connection timeout if no smtp check host specified.
* Fix min timer value, zero to 0.000001Sec.
* Add fixing min time for vs_co_timeout_handler() and rs_co_timeout_handler().
* Fix parameter of read_timer(), it treat Mintime and Maxtime as microseconds.
* vrrp: vrrp_dispatcher_read() performance extension
We took time with Quentin to simulate and rework this code. We introduced
2 imbricated while loop:
(1) First one is catching recvfrom EINTR (this code trig
only on kernel older than 2.6.22 where signalfd was firstly introduced).
Newer kernel will immediately break the loop (hey guys: if you are running
older than 2.6.22 it is worth considering upgrading).
(2) Second loop will continue reading from socket until same VRID advert
has been received during the same cycle. After simulating, it appears that
during contention with a lot of VRRP instances (around 1500), this design
is needed to relax socket recvq from growing. This can be viewed as a
Poll-Mode activation during contention and fallback to regular I/O MUX
during normal operations. This loop breaks immediately and re-submit
opration to I/O MUX when there is no more to be read.
* Fix conversion from long for double in read_timer().
* Remove variable timer of unsigned long cast in read_timer().
When Double type variable timer is cast to long type, it's scale falls.
2019-01-26 Alexandre Cassen <acassen@keepalived.org>
* keepalived-2.0.12
* Documentation related.
Remove keepalived.conf.SYNOPSIS content to make a pointer to manpage.
Update README manifest to reflect actual Keepalived goal and features.
* Improve error message if process events connector not enabled in
kernel.
* Add option to disable track-process functionality
Issue #1099 reported that their kernel did not support the proc events
connector, and it would therefore be helpful to have an option to build
keepalived without the track-process functionality.
This commit adds the --disable-track-process configure option.
* Fix vrrp instances going to fault state when have virtual routes
If an interface going down caused a vrrp instance to go to fault
state, and the vrrp instance also had virtual routes, the state
of the vrrp instance would be set to backup when the deletion of
the virtual route was detected. This commit ensures that the vrrp
instance stays in fault state until the interface is brought up
again.
* Remove Red Hat Linux 9 and RH Enterprise Linux 3 from spec file.
Red Hat Linux 9 and Red Hat Enterprise Linux 3 are both based on
Linux 2.4, which is no longer supported by keepalived. The options
in the spec file for Reh Hat Linux 9 have twice caused people to
specify wrong options to configure when trying to build keepalived,
so the options are removed to i) avoid confusion and ii) they are
not longer relevant.
* Add global option vrrp_min_garp.
By default keepalived sends 5 gratuitous ARP/NA messages after
transitioning to master, and 5 more 5 seconds later. This isn't
necessary with modern switches, and so if the vrrp_min_garp option
is set, only one gratuitious ARP/NA message is sent after transition
to master, and no repeat messages are sent 4 seconds later.
* Standardise definition of _INCLUDE_UNUSED_CODE_
* Remove out of date comment re VRRP over IPv6.
* Correct typo in keepalived.conf.5.
* Directly use structure sizes for packet header lengths.
* vrrp_state_fault_rx() is not used.
Wrap the function in conditional compilation so it is not compiled
* Convert so list loops to use LIST_FOREACH.
* Don't recalculate vrrp packet header address.
vrrp_get_header() calculates the address of the vrrp header in a
received packet, but it was being recalculated in vrrp_in_chk().
This commit passes the already calculated address to vrrp_in_chk().
* Ensure a received packet has an AH header if and only if AH auth.
Ensure that a received packet has an AH header if we expect AH
authentication, and doesn't have an AH header if we don't expect
AH authentication.
* Ensure all protocol headers received before return pointer to vrrp header
vrrp_get_header() returns a pointer to the vrrp header, but it now returns
NULL if insufficient data has been received to include all the (IP,
possibly AH, and VRRP) headers (this does not include the VIPs in the VRRP
packet).
This means that when a pointer to the VRRP header is returned, all fields in
all protocol headers can safely be accessed.
* Add check of received IPv6 hop count in multicast adverts
The VRRP RFC requires that IPv6 hop count MUST be checked to be 255,
just as the TTL for IPv6 must be 255. Previously that wasn't being
checked, since IPv6 raw sockets don't provide access to the IPv6
header.
Using recvmsg() rather than recvfrom(), and setting socket option
IPV6_RECVHOPLIMIT allows keepalived to receive the hop count as
ancillary data, and that can now be checked.
* Improve reading from vrrp receive sockets.
Previously no check was made of the return value from recvfrom()/
recvmsg(). This meant than an error could occur (e.g. EINTR), or no
data might be returned, and keepalived would still attempt to process
the receive buffer as though data had been received.
* Enhance and streamline checking of validity of received VRRP packet
This includes checking that a packet is multicast, unless unicast is
expected in which case it is checked for unicast, ensuring that if
AH authentication is used, the next header protocol is VRRP.
The sequence of some checks is revised to ensure that the fields being
checked are valid to be accessed prior to accessing them, e.g. check
that the packet is VRRP version 2 before checking the authentication.
* Stop clearing receive buffer before receiving VRRP packets.
This is no longer necessary now that the appropriate checks are
made of the return status of recvmsg(), and also that the checks
of received packet length and packet headers now do all necessary
checks.
* Add compile time checks for IPV6_RECVHOPLIMIT/IPV6_RECVPKTINFO
support.
* Update keepalived.spec.in build-requires.
The kernel package required for building keepalived is kernel-headers
not kernel-devel. Also, it is superfluous to have package kernel in
the build-requires!
* Add missing file (build.setup) to tarball.
* Fix calculating print format to rlim_t in configure.ac.
* Fix compiler warnings on 32 bit systems re HASH_UPDATE.
Removing all the casts stopped the warnings.
* Use PRI_rlim_t when printing rlim_t types.
* Use %zd/%zu for ssize_t/size_t to avoid warnings on 32 bit systems.
* Fix some space/tab formatting.
* Stop declaring some timer definitions unsigned to stop compiler
warnings.
TIMER_HZ, TIMER_CENTI_HZ, NSEC_PER_SEC were causing some compiler warnings
on some systems due to being defined with a 'U' unsigned suffix. Removing
the unsigned specifier stopped the compiler warnings.
* Fix compiler warning due to incorrect format specifier.
An int64_t should use % PRIi64 and not %ld
* Stop an uninitialized variable compiler warning.
* Fix MEM_CHECK debugging on processors without unaligned memory
access.
* Don't attempt to use unopened socket for getting ipset version.
* Tidy up an error message.
* vrrp: make vrrp_dispatcher_read() async while catching error.
During investigations we decided to update previous patch to resubmit
into I/O MUX on read error. It will make read procedure I/O MUX freindly
by removing potential sync operation potentially leading to a global
I/O MUX desync. We aggreed, the situation is really and very exceptionnal
but could happen.
* vrrp: vrrp_arp_thread split.
Split the function for maintainability purpose.
2019-01-06 Alexandre Cassen <acassen@keepalived.org>
* keepalived-2.0.11
* Fix segfault while shutting down when SNMP activity occurs.
Issue #1061 identified that keepalived could segfault when it
shut down. It appears that this was caused by data being received
on the file descriptors that the snmp agent requests keepalived
to monitor with epoll(). Since the read threads weren't being
processed during a shutdown, the first time an snmp fd was ready,
keepalived discarded the read thread. The second time that fd became
ready there was no thread to handle the fd, and, since the assert()
statement was not compiled in, non existant data was queued to the
thread ready queue.
This commit changes the assert() calls to continue, so that non existant
data is no longer queued to the thread ready queue.
* While shutting down, continue to handle snmp agent fds.
Since we don't shutdown the snmp connection until the very end of
the shutdown process (we need to be able to send snmp traps), we
should continue to handle the snmp fds on behalf of the snmp agent
while shutting down.
* Ensure snmp agent is in correct state when initialising/closing
Make sure the snmp agent is not already initialised before
initialising it, and make sure it has been initialised before
closing it.
* Disable asserts in bfd code by default and add --enable-asserts
Asserts were enabled by default in the bfd code, which shouldn't be
the case.
Add --enable-asserts configure option so that the asserts tests can
be enabled while debugging.
* Remove debugging log message accidently left in.
* Update receive buffers when interface is created.
The receive buffer size used by keepalived is based on the largest
MTU of any interface that keepalived uses. If dynamic interfaces
are being used and an interface is created after keepalived has
started, the MTU of the new interface may be larger than the
previous largest, so the receive buffer may need to be increased
in size.
Further, if vrrp_rx_bufs_policy is MTU, then the kernel receive
buffers on the receive socket may need to be increased.
* Handle MTU sizes being changed.
Issue #1068 identified that the MTU size wasn't being updated in
keepalived if it changed.
This commit now updates the MTU size and adjusts receive buffer
sizes accordingly.
* Fix syntax error in configure.ac.
* Fix double free when global data smtp_helo_name copied from local_name
Issue #1071 identified a double free fault. It occurred when smtp_helo_name
was not set, in which case it was set to point to the same malloc'd memory
as local_name. At termination keepalived freed both local_name and
smtp_helo_name.
If keepalived needs to use local_name for smtp_helo_name it now malloc's
additional memory to copy the string into.
* Rename TIMER_MAX to TIMER_MAXIMUM.
ulibC defines TIMER_MAX, so to avoid naming conflict rename it.
This issue was reported by Paul Gildea <gildeap@tcd.ie> who also
provided the patch.
* Fix segfault when smtp alerts configured.
* First working version of nftables.
* Restructed code around how iptables/nftables are called
This commit also allows building keepalived without iptables
support, thereby allowing only nftables support.
Adding any other mechanism to handle no_accept mode, i.e. blocking
receiving and sending to/from VIPs should be added to vrrp_firewall.c,
in a similar way to how nftables/iptables are used.
* Update doc files re nftables.
* Make nftables handle dont_track_primary appropriately.
* Fix config reload with nftables.
* Set base chain priorities from configuration.
* Use iptables by default if neither iptables or nftables configured.
But if the build of keepalived does not include iptables, then use
nftables default.
* Stop dumping keywords - left turned on after debugging.
* Make umask configuration apply to created file.
* Add libmnl and libnftnl to travis file.
* Fix compilation failure when NFTNL_EXPR_LOOKUP_FLAGS not defined.
* Fix compilation failure when build with nftables but without iptables.
* Fix order of include files in configure COLLISION test.
Since Linux 4.4.11 (commit 1575c09) including linux/if.h after
net/if.h works, whereas until glibc fix their headers including
net/if.h after linux/if.h causes compiler redefinition errors.
Unfortunately the test for the collision was done the wrong way
round, as identified in issue #1079. The patch included in the
issue report corrects the order of inclusion of the header files.
What we should do is ensure that glibc header files are included
before Linux header files, so that at least if kernel headers from
4.4.11 onwards are used, the conflict will not occur.
* Set CLOEXEC on netlink sockets.
* Correct error message for invalid route metric.
* Add track_process for vrrp to monitor if another process is running.
Configurations frequently include a track_script to check that a process
is running, often haproxy or nginx. Using any of pgrep, pkill, killall,
pidof, etc, has an overhead of reading all /proc/[1-9]*/status and/or
/proc/[1-9]*/cmdline files. In particular reading the cmdline files
has a significant overhead on a system that is swapping, since the
cmdline files provide access to part of the address space of each
process, which may need to be fetched from the swap space.
This commit reads the /proc/[1-9]*/stat and/or the /proc/[1-9]*/cmdline
files only when keepalived starts, and after that uses the process events
connector to track process creation and termination.
keepalived will ignore zombie processes, whereas pgrep etc include them.
A minimum number of instances of a process can be specified, and also a
delay so that if a process is restarted, it won't cause monitoring vrrp
instances to immediately transition to fault state but to wait the
configured time and it the monitored process starts again it
won't transition to fault state.
There are potential difficulties with the process event connector if a
large number of process events occur very rapidly, since there can be
a receive buffer overrun on the netlink socket. This code will detect
that happening, increase the receive buffer size, and reread the processes
from /proc.
* Add missing #include to track_process.c.
* Fix number of elements of fd_set read for snmp select info.
* Remove thread_event_t when EPOLL_CTL_DEL fails.
If snmpd closes a file descriptor, when keepalived attempts to
unregister the fd from epoll an error is returned. However, we still
need to remove the thread_event_t from the io_events rbtree.
* Fix connection to snmpd after it has to reconnect.
Issue #1080 identified that keepalived wasn't handling a connection
failure and reconnect to snmpd properly. The problem was created when
the change from select() to epoll() was made.
This commit makes keepalived unregister and reregister the snmp file
descriptors after snmpd reconnects.
* Fix retry count for SMTP_CHECK checker.
The checker was doing one too few retries.
* Make healthchecker failure reporting consistent
Some healthcheckers were reporting all failures, and others only when
the retries expired. This commit by default makes the checkers only
report failure when the retries expire, unless the global keyword
checker_log_all_failures or log_all_failures on the specific checker
is configured.
* After reload, reinitialise current track processes state.
* Remove unused variable in track_process.c.
* Add configure checks re --with-kernel-dir.
* Convert remaining select() to epoll_wait().
keepalived was using select() for handling the termination of child
processes, but the main scheduling loop now uses epoll_wait(), so
convert the select() to epoll_wait() from consistency.
* Stop keepalived leaving zombie child processes.
keepalived wasn't reaping the termination of its child processes,
so this commit adds waitpid() calls once it knows the processes
have terminated.
* Fix make distclean and make distcheck.
* Also skip route not configured with down interface.
Otherwise, if keepalived has virtual_routes configured, we create
a virtual interface and bring it up and down, current code will bring
VRRP state to FAULT and never return.
* Stop vrrp process entering infinite loop when track script times out
Issue #1093 identified that the vrrp process was entering an infinite
loop after a track script timed out. This was due to a child process
thread having an RB tree for PIDs as well as for the timeout, and if
a child process timed out, the thread wasn't being removed from the
PID RB tree. This commit now ensures it is removed.
* Fix the abbreviation of Shortest Expected Delay.
* Don't free unallocated memory if not tracking processes.
* vrrp: Rewrote JSON code
Remove dependency to json-c extralib by using a simple streaming JSON writter.
Refactored code to make it simple to maintain.
* vrrp: Fix JSON handling for v{route;rule}.
* autoconf: fix nftables selection
We need to inhibit nftable compilation if compiling system has
kernel header file nf_tables.h but not libnftnl nor libmnl.
2018-11-12 Alexandre Cassen <acassen@keepalived.org>
* keepalived-2.0.10
* Fix compiling on Alpine Linux.
* Stop printf compiler warning on Alpine Linux due to rlim_t.
* manpage cosmetic.
* Fix removing snmpd read threads when snmpd becomes unavailable.
* Update to support libipset version 7.
* Use ipset_printf for ipset messages so can go to log.
* When opening files for write, ensure files can only be read by root.
Issue #1048 referred to CVE-2018-19046 regarding files used for
debugging purposes could potentially be read by non root users.
This commit ensures that such log files cannot be opened by non root
users.
* Disable fopen_safe() append mode by default
If a non privileged user creates /tmp/keepalived.log and has it open
for read (e.g. tail -f), then even though keepalived will change the
owner to root and remove all read/write permissions from non owners,
the application which already has the file open will be able to read
the added log entries.
Accordingly, opening a file in append mode is disabled by default, and
only enabled if --enable-smtp-alert-debug or --enable-log-file (which
are debugging options and unset by default) are enabled.
This should further alleviate security concerns related to CVE-2018-19046.
* vrrp: add support to constant time memcmp.
Just an update to use best practise security design pattern. While
comparing password or hmac you need to ensure comparison function
is time constant in order to figth against any timing attacks. We
turn off potential compiler optimizations for this particular
function to avoid any short circuit.
* Make sure a non privileged user cannot read keepalived file output
Ensure that when a file such as /tmp/keepalived.data is wriiten,
no non privileged can have a previous version of that file already
open, thereby allowing them to read the data.
This should fully resolve CVE-2018-19046.
2018-11-08 Alexandre Cassen <acassen@gmail.com>
* keepalived-2.0.9
* Fix updating a timer thread's timeout.
Issue #1042 identified that the BFD process could segfault. This
was tracked down to a timer thread which had already expired having
its timeout updated by timer_thread_update_timeout().
The sands timer should only be updated if the thread is on a waiting
queue, and not if it has already timed out or it is unused.
* Don't requeue read thread if it is not waiting.
This update matches commit 09a2a37 - Fix updating a timer thread's
timeout should.
* Allow BFD instance to recover after send error.
If sendto failed in bfd_send_packet(), the bfd instance was put into
admin down state, but there was no means for the bfd instance to
transition out of admin down state.
This commit makes keepalived log the first instance of a sequence of
failures to send a bfd packet, but does not bring the bfd instance down
in case the error is a transient error. If the error is longer lasting,
the remote system will timeout, transition to down state, and send a message
saying it is down.
Once the bfd instance can start sending again the bfd instance can now
transition again to up state.
* Make DGB definition use log_message() rather than syslog().
* Fix building with --enable-debug configure option.
* Start list of required kernel features in INSTALL file.
Issue #1024 asked what kernel features are needed to support keepalived.
The simple answer was that it isn't recorded anywhere, so this is a
start of making a list of the features required.
* Make list_remove() call list free function and add list_transfer().
If an element is being removed from a list, the free function should
be called.
list_transfer() allows a list element to be moved from one list to
another without freeing and reallocating the list element control
information.
* Add mem_check diagnostics re calling functions of list functions.
When using mem_check, mallocs and frees were recorded against the
list functions, and the originating functions weren't identified.
This patch adds recording of the functions calling the list
functions so that the originating function is identified.
* Simplify the processing of comments in configuration files.
This commit moves the handling (and removal) of comments to a
single function (called from read_line()) which simplifies the
processing of config files.
* Add ~SEQ(start, step, end) config functionality
Where a configuration has repeated blocks of configuration where
the only thing that changes is a numeric value (e.g. for VRIDs
from 1 to 255) this allows the block to be defined once, and a
single line using ~SEQ can then generate all the blocks.
* Use REALLOC when building a multiline definition.
The code used to use MALLOC, strcpy() and FREE, but REALLOC can do
all this for us.
* Improve mem-check diagnostics.
When using an allocation list of over 50,000 entries, it was quite slow
searching thtough all the entries to find the matching memory allocation,
and to find free entries. This commit changes to using malloc() to create
entries, and a red-black tree to hold the entries. It also has a separate
list of free entries.
This commit also adds 4 more types of memory allocation error, and
improves the consistency of the entries in the log files.
* Don't attempt to delete VMAC when underlying interface is deleted.
If the underlying interface of one of our vmacs is deleted, and we
know the vmac has been deleted, don't attempt to delete it again.
* Include master state in determining if vmacs are up or down
Netlink doesn't send messages for a state change of a macvlan when
the master device changes state, so we have to track that for
ourselves.
* Turn off parser debugging.
* Make test/mk_if create iptables chains.
* Handle interfaces not existing when keepalived terminates.
If the underlying interface of a vmac we created has been deleted,
the vmac will not exist so don't attempt to delete it again. Also,
don't attempt to reset the configuration of the underlying interface.
* Handle the underlying interface of a macvlan interface going up/down.
The kernel doesn't send netlink messages for macvlans going up or
down when the underlying interface transitions (it doesn't even
update their status to say they are up/down), but the interfaces
don't work. We need to track the state of the underlying interfaces
and propagate that to the macvlan interfaces.
* Fix duplicate value in track_t enum.
* Fix check for matching track types.
* Treat macvtap interfaces in the same way as macvlan interfaces.
* Improve handling of interfaces not existing when keepalived starts.
* Fix handling interface deletion and creation of vmacs on macvlan i/fs.
* When interface created, open sockets on it if used by VRRP directly
If an interface is created that has vrrp instances configured on it
that don't use VMACs, or use vmac_xmit_base, then the raw sockets
must be opened.
* Force seeing a transition to up state when an interface is created.
* Fix netlink remnant data error.
* Add command line and configuration option to set umask.
Issue #1048 identified that files created by keepalived are created
with mode 0666. This commit changes the default to 0644, and also
allows the umask to be specified in the configuration or as a command
line option.
* Fix compile warning introduced in commit c6247a9.
Commit c6247a9 - "Add command line and configuration option to set umask"
introduced a compile warning, although the code would have worked OK.
* When opening files for write, ensure they aren't symbolic links.
Issue #1048 identified that if, for example, a non privileged user
created a symbolic link from /etc/keepalvied.data to /etc/passwd,
writing to /etc/keepalived.data (which could be invoked via DBus)
would cause /etc/passwd to be overwritten.
This commit stops keepalived writing to pathnames where the ultimate
component is a symbolic link, by setting O_NOFOLLOW whenever opening
a file for writing.
This might break some setups, where, for example, /etc/keepalived.data
was a symbolic link to /home/fred/keepalived.data. If this was the case,