diff options
| -rw-r--r-- | packages/keepalived/.gitignore | 1 | ||||
| -rw-r--r-- | packages/keepalived/Jenkinsfile | 33 | ||||
| -rwxr-xr-x | packages/keepalived/build.py | 50 | ||||
| -rw-r--r-- | packages/keepalived/patches/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch | 129 |
4 files changed, 213 insertions, 0 deletions
diff --git a/packages/keepalived/.gitignore b/packages/keepalived/.gitignore new file mode 100644 index 00000000..9503bdbd --- /dev/null +++ b/packages/keepalived/.gitignore @@ -0,0 +1 @@ +keepalived/ diff --git a/packages/keepalived/Jenkinsfile b/packages/keepalived/Jenkinsfile new file mode 100644 index 00000000..b91c927e --- /dev/null +++ b/packages/keepalived/Jenkinsfile @@ -0,0 +1,33 @@ +// Copyright (C) 2023 VyOS maintainers and contributors +// +// This program is free software; you can redistribute it and/or modify +// in order to easy exprort images built to "external" world +// it under the terms of the GNU General Public License version 2 or later as +// published by the Free Software Foundation. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +@NonCPS + +// Using a version specifier library, use 'current' branch. The underscore (_) +// is not a typo! You need this underscore if the line immediately after the +// @Library annotation is not an import statement! +@Library('vyos-build@current')_ + +def package_name = 'keepalived' + +def pkgList = [ + ['name': "${package_name}", + 'scmCommit': 'debian/1%2.2.7-1', + 'scmUrl': 'https://salsa.debian.org/debian/pkg-keepalived.git', + 'buildCmd': 'sudo mk-build-deps --install --tool "apt-get --yes --no-install-recommends"; ../build.py'], +] + +// Start package build using library function from https://github.com/vyos/vyos-build +buildPackage("${package_name}", pkgList, null, true, "**/packages/${package_name}/**") diff --git a/packages/keepalived/build.py b/packages/keepalived/build.py new file mode 100755 index 00000000..04f4791b --- /dev/null +++ b/packages/keepalived/build.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python3 + +from pathlib import Path +from shutil import copy as copy_file +from subprocess import run + + +# copy patches +def apply_deb_patches() -> None: + """Apply patches to sources directory + """ + patches_dir = Path('../patches') + current_dir: str = Path.cwd().as_posix() + if patches_dir.exists(): + patches_list = list(patches_dir.iterdir()) + patches_list.sort() + Path(f'{current_dir}/debian/patches').mkdir(parents=True, exist_ok=True) + series_file = Path(f'{current_dir}/debian/patches/series') + series_data = '' + for patch_file in patches_list: + print(f'Applying patch: {patch_file.name}') + copy_file(patch_file, f'{current_dir}/debian/patches/') + if series_file.exists(): + series_data: str = series_file.read_text() + series_data = f'{series_data}\n{patch_file.name}' + series_file.write_text(series_data) + + +def build_package() -> bool: + """Build a package + + Returns: + bool: build status + """ + build_cmd: list[str] = ['dpkg-buildpackage', '-uc', '-us', '-tc', '-b'] + build_status: int = run(build_cmd).returncode + + if build_status: + return False + return True + + +# build a package +if __name__ == '__main__': + apply_deb_patches() + + if not build_package(): + exit(1) + + exit() diff --git a/packages/keepalived/patches/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch b/packages/keepalived/patches/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch new file mode 100644 index 00000000..b099dc7b --- /dev/null +++ b/packages/keepalived/patches/0001-vrrp-Set-sysctl-arp_ignore-to-1-on-IPv6-VMACs.patch @@ -0,0 +1,129 @@ +From af4aa758c3512bec8233549e138b03741c5404f9 Mon Sep 17 00:00:00 2001 +From: Quentin Armitage <quentin@armitage.org.uk> +Date: Sat, 14 Oct 2023 15:37:19 +0100 +Subject: [PATCH] vrrp: Set sysctl arp_ignore to 1 on IPv6 VMACs + +Setting arp_ignore to 1 ensures that the VMAC interface does not respond +to ARP requests for IPv4 addresses not configured on the VMAC. + +Signed-off-by: Quentin Armitage <quentin@armitage.org.uk> +--- + keepalived/include/vrrp_if_config.h | 2 +- + keepalived/vrrp/vrrp_if_config.c | 28 ++++++++++++++++++++-------- + keepalived/vrrp/vrrp_vmac.c | 5 ++--- + 3 files changed, 23 insertions(+), 12 deletions(-) + +diff --git a/keepalived/include/vrrp_if_config.h b/keepalived/include/vrrp_if_config.h +index 35465cd..c35e56e 100644 +--- a/keepalived/include/vrrp_if_config.h ++++ b/keepalived/include/vrrp_if_config.h +@@ -34,7 +34,7 @@ extern void set_promote_secondaries(interface_t*); + extern void reset_promote_secondaries(interface_t*); + #ifdef _HAVE_VRRP_VMAC_ + extern void restore_rp_filter(void); +-extern void set_interface_parameters(const interface_t*, interface_t*); ++extern void set_interface_parameters(const interface_t*, interface_t*, sa_family_t); + extern void reset_interface_parameters(interface_t*); + extern void link_set_ipv6(const interface_t*, bool); + #endif +diff --git a/keepalived/vrrp/vrrp_if_config.c b/keepalived/vrrp/vrrp_if_config.c +index cfce7e2..fbfd34c 100644 +--- a/keepalived/vrrp/vrrp_if_config.c ++++ b/keepalived/vrrp/vrrp_if_config.c +@@ -81,6 +81,11 @@ static sysctl_opts_t vmac_sysctl[] = { + { 0, 0} + }; + ++static sysctl_opts_t vmac_sysctl_6[] = { ++ { IPV4_DEVCONF_ARP_IGNORE, 1 }, ++ { 0, 0} ++}; ++ + #endif + #endif + +@@ -216,11 +221,14 @@ netlink_set_interface_flags(unsigned ifindex, const sysctl_opts_t *sys_opts) + + #ifdef _HAVE_VRRP_VMAC_ + static inline int +-netlink_set_interface_parameters(const interface_t *ifp, interface_t *base_ifp) ++netlink_set_interface_parameters(const interface_t *ifp, interface_t *base_ifp, sa_family_t family) + { +- if (netlink_set_interface_flags(ifp->ifindex, vmac_sysctl)) ++ if (netlink_set_interface_flags(ifp->ifindex, family == AF_INET6 ? vmac_sysctl_6 : vmac_sysctl)) + return -1; + ++ if (family == AF_INET6) ++ return 0; ++ + /* If the underlying interface is a MACVLAN that has been moved into + * a separate network namespace from the parent, we can't access the + * parent. */ +@@ -271,9 +279,9 @@ netlink_reset_interface_parameters(const interface_t* ifp) + } + + static inline void +-set_interface_parameters_devconf(const interface_t *ifp, interface_t *base_ifp) ++set_interface_parameters_devconf(const interface_t *ifp, interface_t *base_ifp, sa_family_t family) + { +- if (netlink_set_interface_parameters(ifp, base_ifp)) ++ if (netlink_set_interface_parameters(ifp, base_ifp, family)) + log_message(LOG_INFO, "Unable to set parameters for %s", ifp->ifname); + } + +@@ -310,11 +318,15 @@ reset_promote_secondaries_devconf(interface_t *ifp) + + #ifdef _HAVE_VRRP_VMAC_ + static inline void +-set_interface_parameters_sysctl(const interface_t *ifp, interface_t *base_ifp) ++set_interface_parameters_sysctl(const interface_t *ifp, interface_t *base_ifp, sa_family_t family) + { + unsigned val; + + set_sysctl("net/ipv4/conf", ifp->ifname, "arp_ignore", 1); ++ ++ if (family == AF_INET6) ++ return; ++ + set_sysctl("net/ipv4/conf", ifp->ifname, "accept_local", 1); + set_sysctl("net/ipv4/conf", ifp->ifname, "rp_filter", 0); + +@@ -524,15 +536,15 @@ restore_rp_filter(void) + } + + void +-set_interface_parameters(const interface_t *ifp, interface_t *base_ifp) ++set_interface_parameters(const interface_t *ifp, interface_t *base_ifp, sa_family_t family) + { + if (all_rp_filter == UINT_MAX) + clear_rp_filter(); + + #ifdef _HAVE_IPV4_DEVCONF_ +- set_interface_parameters_devconf(ifp, base_ifp); ++ set_interface_parameters_devconf(ifp, base_ifp, family); + #else +- set_interface_parameters_sysctl(ifp, base_ifp); ++ set_interface_parameters_sysctl(ifp, base_ifp, family); + #endif + } + +diff --git a/keepalived/vrrp/vrrp_vmac.c b/keepalived/vrrp/vrrp_vmac.c +index e5ff0e9..021953a 100644 +--- a/keepalived/vrrp/vrrp_vmac.c ++++ b/keepalived/vrrp/vrrp_vmac.c +@@ -407,10 +407,9 @@ netlink_link_add_vmac(vrrp_t *vrrp, const interface_t *old_interface) + if (!ifp->ifindex) + return false; + +- if (vrrp->family == AF_INET && create_interface) { ++ if (create_interface) { + /* Set the necessary kernel parameters to make macvlans work for us */ +-// If this saves current base_ifp's settings, we need to be careful if multiple VMACs on same i/f +- set_interface_parameters(ifp, ifp->base_ifp); ++ set_interface_parameters(ifp, ifp->base_ifp, vrrp->family); + } + + #ifdef _WITH_FIREWALL_ +-- +2.34.1 + |