summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoraapostoliuk <a.apostoliuk@vyos.io>2023-10-27 15:09:29 +0300
committeraapostoliuk <a.apostoliuk@vyos.io>2023-10-27 16:02:26 +0300
commit86a97880700a42f2416c196ce93853a4e7e18b4d (patch)
tree899a166df157d628fbc1473648edffde81e4bb71
parentf2614bf9dcc8c600bb5f85a5026b1797bc2ae628 (diff)
downloadvyos-build-86a97880700a42f2416c196ce93853a4e7e18b4d.tar.gz
vyos-build-86a97880700a42f2416c196ce93853a4e7e18b4d.zip
keepalived:T5402:Added patch with arp_ignore to 1 on IPv6 VMACs
Added patch with commit '9ca8688' to pkg-keepalived 1:2.2.7-1 https://github.com/acassen/keepalived/commit/9ca8688c7fe591e1face259f19ee6169e20a3438 Setting arp_ignore to 1 ensures that the VMAC interface does not respond to ARP requests for IPv4 addresses not configured on the VMAC.
-rw-r--r--packages/keepalived/.gitignore1
-rw-r--r--packages/keepalived/Jenkinsfile33
-rwxr-xr-xpackages/keepalived/build.py50
-rw-r--r--packages/keepalived/patches/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch129
4 files changed, 213 insertions, 0 deletions
diff --git a/packages/keepalived/.gitignore b/packages/keepalived/.gitignore
new file mode 100644
index 00000000..9503bdbd
--- /dev/null
+++ b/packages/keepalived/.gitignore
@@ -0,0 +1 @@
+keepalived/
diff --git a/packages/keepalived/Jenkinsfile b/packages/keepalived/Jenkinsfile
new file mode 100644
index 00000000..b91c927e
--- /dev/null
+++ b/packages/keepalived/Jenkinsfile
@@ -0,0 +1,33 @@
+// Copyright (C) 2023 VyOS maintainers and contributors
+//
+// This program is free software; you can redistribute it and/or modify
+// in order to easy exprort images built to "external" world
+// it under the terms of the GNU General Public License version 2 or later as
+// published by the Free Software Foundation.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+@NonCPS
+
+// Using a version specifier library, use 'current' branch. The underscore (_)
+// is not a typo! You need this underscore if the line immediately after the
+// @Library annotation is not an import statement!
+@Library('vyos-build@current')_
+
+def package_name = 'keepalived'
+
+def pkgList = [
+ ['name': "${package_name}",
+ 'scmCommit': 'debian/1%2.2.7-1',
+ 'scmUrl': 'https://salsa.debian.org/debian/pkg-keepalived.git',
+ 'buildCmd': 'sudo mk-build-deps --install --tool "apt-get --yes --no-install-recommends"; ../build.py'],
+]
+
+// Start package build using library function from https://github.com/vyos/vyos-build
+buildPackage("${package_name}", pkgList, null, true, "**/packages/${package_name}/**")
diff --git a/packages/keepalived/build.py b/packages/keepalived/build.py
new file mode 100755
index 00000000..04f4791b
--- /dev/null
+++ b/packages/keepalived/build.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+
+from pathlib import Path
+from shutil import copy as copy_file
+from subprocess import run
+
+
+# copy patches
+def apply_deb_patches() -> None:
+ """Apply patches to sources directory
+ """
+ patches_dir = Path('../patches')
+ current_dir: str = Path.cwd().as_posix()
+ if patches_dir.exists():
+ patches_list = list(patches_dir.iterdir())
+ patches_list.sort()
+ Path(f'{current_dir}/debian/patches').mkdir(parents=True, exist_ok=True)
+ series_file = Path(f'{current_dir}/debian/patches/series')
+ series_data = ''
+ for patch_file in patches_list:
+ print(f'Applying patch: {patch_file.name}')
+ copy_file(patch_file, f'{current_dir}/debian/patches/')
+ if series_file.exists():
+ series_data: str = series_file.read_text()
+ series_data = f'{series_data}\n{patch_file.name}'
+ series_file.write_text(series_data)
+
+
+def build_package() -> bool:
+ """Build a package
+
+ Returns:
+ bool: build status
+ """
+ build_cmd: list[str] = ['dpkg-buildpackage', '-uc', '-us', '-tc', '-b']
+ build_status: int = run(build_cmd).returncode
+
+ if build_status:
+ return False
+ return True
+
+
+# build a package
+if __name__ == '__main__':
+ apply_deb_patches()
+
+ if not build_package():
+ exit(1)
+
+ exit()
diff --git a/packages/keepalived/patches/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch b/packages/keepalived/patches/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch
new file mode 100644
index 00000000..b099dc7b
--- /dev/null
+++ b/packages/keepalived/patches/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch
@@ -0,0 +1,129 @@
+From af4aa758c3512bec8233549e138b03741c5404f9 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Sat, 14 Oct 2023 15:37:19 +0100
+Subject: [PATCH] vrrp: Set sysctl arp_ignore to 1 on IPv6 VMACs
+
+Setting arp_ignore to 1 ensures that the VMAC interface does not respond
+to ARP requests for IPv4 addresses not configured on the VMAC.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/include/vrrp_if_config.h | 2 +-
+ keepalived/vrrp/vrrp_if_config.c | 28 ++++++++++++++++++++--------
+ keepalived/vrrp/vrrp_vmac.c | 5 ++---
+ 3 files changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/keepalived/include/vrrp_if_config.h b/keepalived/include/vrrp_if_config.h
+index 35465cd..c35e56e 100644
+--- a/keepalived/include/vrrp_if_config.h
++++ b/keepalived/include/vrrp_if_config.h
+@@ -34,7 +34,7 @@ extern void set_promote_secondaries(interface_t*);
+ extern void reset_promote_secondaries(interface_t*);
+ #ifdef _HAVE_VRRP_VMAC_
+ extern void restore_rp_filter(void);
+-extern void set_interface_parameters(const interface_t*, interface_t*);
++extern void set_interface_parameters(const interface_t*, interface_t*, sa_family_t);
+ extern void reset_interface_parameters(interface_t*);
+ extern void link_set_ipv6(const interface_t*, bool);
+ #endif
+diff --git a/keepalived/vrrp/vrrp_if_config.c b/keepalived/vrrp/vrrp_if_config.c
+index cfce7e2..fbfd34c 100644
+--- a/keepalived/vrrp/vrrp_if_config.c
++++ b/keepalived/vrrp/vrrp_if_config.c
+@@ -81,6 +81,11 @@ static sysctl_opts_t vmac_sysctl[] = {
+ { 0, 0}
+ };
+
++static sysctl_opts_t vmac_sysctl_6[] = {
++ { IPV4_DEVCONF_ARP_IGNORE, 1 },
++ { 0, 0}
++};
++
+ #endif
+ #endif
+
+@@ -216,11 +221,14 @@ netlink_set_interface_flags(unsigned ifindex, const sysctl_opts_t *sys_opts)
+
+ #ifdef _HAVE_VRRP_VMAC_
+ static inline int
+-netlink_set_interface_parameters(const interface_t *ifp, interface_t *base_ifp)
++netlink_set_interface_parameters(const interface_t *ifp, interface_t *base_ifp, sa_family_t family)
+ {
+- if (netlink_set_interface_flags(ifp->ifindex, vmac_sysctl))
++ if (netlink_set_interface_flags(ifp->ifindex, family == AF_INET6 ? vmac_sysctl_6 : vmac_sysctl))
+ return -1;
+
++ if (family == AF_INET6)
++ return 0;
++
+ /* If the underlying interface is a MACVLAN that has been moved into
+ * a separate network namespace from the parent, we can't access the
+ * parent. */
+@@ -271,9 +279,9 @@ netlink_reset_interface_parameters(const interface_t* ifp)
+ }
+
+ static inline void
+-set_interface_parameters_devconf(const interface_t *ifp, interface_t *base_ifp)
++set_interface_parameters_devconf(const interface_t *ifp, interface_t *base_ifp, sa_family_t family)
+ {
+- if (netlink_set_interface_parameters(ifp, base_ifp))
++ if (netlink_set_interface_parameters(ifp, base_ifp, family))
+ log_message(LOG_INFO, "Unable to set parameters for %s", ifp->ifname);
+ }
+
+@@ -310,11 +318,15 @@ reset_promote_secondaries_devconf(interface_t *ifp)
+
+ #ifdef _HAVE_VRRP_VMAC_
+ static inline void
+-set_interface_parameters_sysctl(const interface_t *ifp, interface_t *base_ifp)
++set_interface_parameters_sysctl(const interface_t *ifp, interface_t *base_ifp, sa_family_t family)
+ {
+ unsigned val;
+
+ set_sysctl("net/ipv4/conf", ifp->ifname, "arp_ignore", 1);
++
++ if (family == AF_INET6)
++ return;
++
+ set_sysctl("net/ipv4/conf", ifp->ifname, "accept_local", 1);
+ set_sysctl("net/ipv4/conf", ifp->ifname, "rp_filter", 0);
+
+@@ -524,15 +536,15 @@ restore_rp_filter(void)
+ }
+
+ void
+-set_interface_parameters(const interface_t *ifp, interface_t *base_ifp)
++set_interface_parameters(const interface_t *ifp, interface_t *base_ifp, sa_family_t family)
+ {
+ if (all_rp_filter == UINT_MAX)
+ clear_rp_filter();
+
+ #ifdef _HAVE_IPV4_DEVCONF_
+- set_interface_parameters_devconf(ifp, base_ifp);
++ set_interface_parameters_devconf(ifp, base_ifp, family);
+ #else
+- set_interface_parameters_sysctl(ifp, base_ifp);
++ set_interface_parameters_sysctl(ifp, base_ifp, family);
+ #endif
+ }
+
+diff --git a/keepalived/vrrp/vrrp_vmac.c b/keepalived/vrrp/vrrp_vmac.c
+index e5ff0e9..021953a 100644
+--- a/keepalived/vrrp/vrrp_vmac.c
++++ b/keepalived/vrrp/vrrp_vmac.c
+@@ -407,10 +407,9 @@ netlink_link_add_vmac(vrrp_t *vrrp, const interface_t *old_interface)
+ if (!ifp->ifindex)
+ return false;
+
+- if (vrrp->family == AF_INET && create_interface) {
++ if (create_interface) {
+ /* Set the necessary kernel parameters to make macvlans work for us */
+-// If this saves current base_ifp's settings, we need to be careful if multiple VMACs on same i/f
+- set_interface_parameters(ifp, ifp->base_ifp);
++ set_interface_parameters(ifp, ifp->base_ifp, vrrp->family);
+ }
+
+ #ifdef _WITH_FIREWALL_
+--
+2.34.1
+