6 changed files with 1 additions and 308 deletions
--- a/SOURCES/RHEL-49561-validate-ipset-names-better.patch
+++ b/SOURCES/RHEL-49561-validate-ipset-names-better.patch
@ -1,83 +0,0 @@
 diff -ur keepalived-2.1.5/keepalived/core/global_parser.c keepalived-2.1.5.patched/keepalived/core/global_parser.c
 --- keepalived-2.1.5/keepalived/core/global_parser.c	2020-07-10 17:41:46.000000000 +0100
 +++ keepalived-2.1.5.patched/keepalived/core/global_parser.c	2024-12-02 14:06:44.469215491 +0000
@@ -955,6 +955,22 @@
 	}
 }
 #ifdef _HAVE_LIBIPSET_
 +static bool
 +check_valid_ipset_name(const vector_t *strvec, unsigned entry, const char *log_name)
 +{
 +	if (strlen(strvec_slot(strvec, entry)) >= IPSET_MAXNAMELEN - 1) {
 +		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name too long - ignored", log_name);
 +		return false;
 +	}
 +
 +	if (strlen(strvec_slot(strvec, entry)) == 0) {
 +		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name empty - ignored", log_name);
 +		return false;
 +	}
 +
 +	return true;
 +}
 +
 static void
 vrrp_ipsets_handler(const vector_t *strvec)
 {
@@ -974,17 +990,13 @@
 		return;
 	}
 -	if (strlen(strvec_slot(strvec,1)) >= IPSET_MAXNAMELEN - 1) {
 -		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset address name too long - ignored");
 +	if (!check_valid_ipset_name(strvec, 1, "address"))
 		return;
 -	}
 	global_data->vrrp_ipset_address = STRDUP(strvec_slot(strvec,1));
 	if (vector_size(strvec) >= 3) {
 -		if (strlen(strvec_slot(strvec,2)) >= IPSET_MAXNAMELEN - 1) {
 -			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address name too long - ignored");
 +		if (!check_valid_ipset_name(strvec, 2, "IPv6 address"))
 			return;
 -		}
 		global_data->vrrp_ipset_address6 = STRDUP(strvec_slot(strvec,2));
 	}
 	else {
@@ -995,10 +1007,8 @@
 		global_data->vrrp_ipset_address6 = STRDUP(set_name);
 	}
 	if (vector_size(strvec) >= 4) {
 -		if (strlen(strvec_slot(strvec,3)) >= IPSET_MAXNAMELEN - 1) {
 -			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address_iface name too long - ignored");
 +		if (!check_valid_ipset_name(strvec, 3, "IPv6 address_iface"))
 			return;
 -		}
 		global_data->vrrp_ipset_address_iface6 = STRDUP(strvec_slot(strvec,3));
 	}
 	else {
@@ -1014,10 +1024,8 @@
 #ifdef HAVE_IPSET_ATTR_IFACE
 	if (vector_size(strvec) >= 5) {
 -		if (strlen(strvec_slot(strvec,4)) >= IPSET_MAXNAMELEN - 1) {
 -			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IGMP name too long - ignored");
 +		if (!check_valid_ipset_name(strvec, 4, "IGMP"))
 			return;
 -		}
 		global_data->vrrp_ipset_igmp = STRDUP(strvec_slot(strvec,4));
 	}
 	else {
@@ -1028,10 +1036,8 @@
 		global_data->vrrp_ipset_igmp = STRDUP(set_name);
 	}
 	if (vector_size(strvec) >= 6) {
 -		if (strlen(strvec_slot(strvec,5)) >= IPSET_MAXNAMELEN - 1) {
 -			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset MLD name too long - ignored");
 +		if (!check_valid_ipset_name(strvec, 5, "MLD"))
 			return;
 -		}
 		global_data->vrrp_ipset_mld = STRDUP(strvec_slot(strvec,5));
 	}
 	else {
 Only in keepalived-2.1.5.patched/keepalived/core: global_parser.c.orig
--- a/SOURCES/RHEL-66742.patch
+++ b/SOURCES/RHEL-66742.patch
@ -1,41 +0,0 @@
 commit d2f5e5595a511ff62934c77cb62f82bdb2320e29
 Author: Yonglong Li <liyonglong@chinatelecom.cn>
 Date:   Fri Dec 29 11:03:08 2023 +0800
    lvs: if lost misc check child register checker agagin
    issue: misc check_child_thread timeout and remove child_pid
    form rb_data, timeout callback of check_child_thread is not be
    called, if at this time misc script done and exit, and child
    termination will do nothing because child_pid was remove form
    rb_data. in this case timeou callback will not register checker
    again, the checker will lost.
    fix: if lost misc check child register checker again
    Signed-off-by: Yonglong Li <liyonglong@chinatelecom.cn>
 diff --git a/keepalived/check/check_misc.c b/keepalived/check/check_misc.c
 index b2260d5f..c388e89d 100644
 --- a/keepalived/check/check_misc.c
 +++ b/keepalived/check/check_misc.c
@@ -337,9 +337,10 @@ misc_check_child_thread(thread_ref_t thread)
 					/* The process does not exist, and we should
 					 * have reaped its exit status, otherwise it
 					 * would exist as a zombie process. */
 -					log_message(LOG_INFO, "Misc script %s child (PID %d) lost", misck_checker->script.args[0], pid);
 +					log_message(LOG_INFO, "Misc script %s child (PID %d) lost, register checker again", misck_checker->script.args[0], pid);
 					misck_checker->state = SCRIPT_STATE_IDLE;
 					timeout = 0;
 +					goto recheck;
 				} else {
 					log_message(LOG_INFO, "kill -%d of process %s(%d) with new state %u failed with errno %d", sig_num, misck_checker->script.args[0], pid, misck_checker->state, errno);
 					timeout = 1000;
@@ -488,6 +489,7 @@ misc_check_child_thread(thread_ref_t thread)
 		}
 	}
 +recheck:
 	/* Register next timer checker */
 	next_time = timer_add_long(misck_checker->last_ran, checker->retry_it ? checker->delay_before_retry : checker->delay_loop);
 	next_time = timer_sub_now(next_time);
--- a/SOURCES/RHEL-7694-dep.patch
+++ b/SOURCES/RHEL-7694-dep.patch
@ -1,23 +0,0 @@
 commit 4a56ddf74b310d75c31bb98fee6f6789b04f6891
 Author: Quentin Armitage <quentin@armitage.org.uk>
 Date:   Mon Jul 20 07:03:54 2020 +0100
    vrrp: Fix building without VMAC support
    Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
 diff --git a/keepalived/vrrp/vrrp_parser.c b/keepalived/vrrp/vrrp_parser.c
 index 1d19c684..3e05f698 100644
 --- a/keepalived/vrrp/vrrp_parser.c
 +++ b/keepalived/vrrp/vrrp_parser.c
@@ -412,9 +412,9 @@ vrrp_handler(const vector_t *strvec)
 static void
 vrrp_end_handler(void)
 {
 -#ifdef _HAVE_VRRP_VMAC_
 	vrrp_t *vrrp = list_last_entry(&vrrp_data->vrrp, vrrp_t, e_list);
 +#ifdef _HAVE_VRRP_VMAC_
 	if (!list_empty(&vrrp->unicast_peer) && vrrp->vmac_flags) {
 		report_config_error(CONFIG_GENERAL_ERROR, "(%s): Cannot use VMAC/ipvlan with unicast peers - clearing use_vmac", vrrp->iname);
 		vrrp->vmac_flags = 0;
--- a/SOURCES/RHEL-7694.patch
+++ b/SOURCES/RHEL-7694.patch
@ -1,97 +0,0 @@
 commit 97429b3b7e6ec2f5b9c93a5d507b152bab30f919
 Author: Quentin Armitage <quentin@armitage.org.uk>
 Date:   Wed Sep 16 15:35:44 2020 +0100
    vrrp: Fix using VMACs with unicast peers
    Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
 diff --git a/doc/man/man5/keepalived.conf.5 b/doc/man/man5/keepalived.conf.5
 index e6b230c6..83a5915f 100644
 --- a/doc/man/man5/keepalived.conf.5
 +++ b/doc/man/man5/keepalived.conf.5
@@ -1359,6 +1359,8 @@ The syntax for vrrp_instance is :
     # all.rp_filter, as will default.rp_filter, and all.rp_filter
     # will be set to 0.
     # The original settings are restored on termination.
 +    # \fBNOTE 2\fR: If using use_vmac with unicast peers,
 +    # vmac_xmit_base must be set.
     \fBuse_vmac \fR[<VMAC_INTERFACE>]
     # Send/Recv VRRP messages from base interface instead of
 diff --git a/keepalived/vrrp/vrrp_parser.c b/keepalived/vrrp/vrrp_parser.c
 index 5cf1eea1..d1e2d8ea 100644
 --- a/keepalived/vrrp/vrrp_parser.c
 +++ b/keepalived/vrrp/vrrp_parser.c
@@ -416,9 +416,14 @@ vrrp_end_handler(void)
 #ifdef _HAVE_VRRP_VMAC_
 	if (!list_empty(&vrrp->unicast_peer) && vrrp->vmac_flags) {
 -		report_config_error(CONFIG_GENERAL_ERROR, "(%s): Cannot use VMAC/ipvlan with unicast peers - clearing use_vmac", vrrp->iname);
 -		vrrp->vmac_flags = 0;
 -		vrrp->vmac_ifname[0] = '\0';
 +		if (!vrrp->ifp) {
 +			report_config_error(CONFIG_GENERAL_ERROR, "(%s): Cannot use VMAC/ipvlan with unicast peers and no interface - clearing use_vmac", vrrp->iname);
 +			vrrp->vmac_flags = 0;
 +			vrrp->vmac_ifname[0] = '\0';
 +		} else if (!__test_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags)) {
 +			report_config_error(CONFIG_GENERAL_ERROR, "(%s) unicast with use_vmac requires vmac_xmit_base - setting", vrrp->iname);
 +			__set_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags);
 +		}
 	}
 #endif
 diff --git a/keepalived/vrrp/vrrp_scheduler.c b/keepalived/vrrp/vrrp_scheduler.c
 index 2fb859e1..d9271720 100644
 --- a/keepalived/vrrp/vrrp_scheduler.c
 +++ b/keepalived/vrrp/vrrp_scheduler.c
@@ -459,17 +459,17 @@ vrrp_create_sockpool(list_head_t *l)
 	struct sockaddr_storage *unicast_src;
 	list_for_each_entry(vrrp, &vrrp_data->vrrp, e_list) {
 -		if (list_empty(&vrrp->unicast_peer)) {
 -			ifp =
 -#ifdef _HAVE_VRRP_VMAC_
 -			      (__test_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags)) ? vrrp->configured_ifp :
 -#endif
 -											vrrp->ifp;
 +		if (list_empty(&vrrp->unicast_peer))
 			unicast_src = NULL;
 -		} else {
 +		else
 			unicast_src = &vrrp->saddr;
 -			ifp = vrrp->ifp;
 -		}
 +
 +		ifp =
 +#ifdef _HAVE_VRRP_VMAC_
 +		      (__test_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags)) ? vrrp->configured_ifp :
 +#endif
 +										vrrp->ifp;
 +
 		proto = IPPROTO_VRRP;
 #if defined _WITH_VRRP_AUTH_
 		if (vrrp->auth_type == VRRP_AUTH_AH)
@@ -607,13 +607,6 @@ vrrp_lower_prio_gratuitous_arp_thread(thread_ref_t thread)
 	vrrp_send_link_update(vrrp, vrrp->garp_lower_prio_rep);
 }
 -static void
 -vrrp_master(vrrp_t * vrrp)
 -{
 -	/* Send the VRRP advert */
 -	vrrp_state_master_tx(vrrp);
 -}
 -
 void
 try_up_instance(vrrp_t *vrrp, bool leaving_init)
 {
@@ -802,7 +795,7 @@ vrrp_dispatcher_read_timeout(sock_t *sock)
 			vrrp_goto_master(vrrp);
 		}
 		else if (vrrp->state == VRRP_STATE_MAST)
 -			vrrp_master(vrrp);
 +			vrrp_state_master_tx(vrrp);
 		/* handle instance synchronization */
 #ifdef _TSM_DEBUG_
--- a/SOURCES/RHEL-7699.patch
+++ b/SOURCES/RHEL-7699.patch
@ -1,40 +0,0 @@
 commit e2b4d108d68ada3af8ad437e2e291fcac1fd0ff7
 Author: Quentin Armitage <quentin@armitage.org.uk>
 Date:   Tue Oct 20 11:24:48 2020 +0100
    ipvs: Allow real servers to be specified with a weight of 0
    This currently only really makes sense when also having a FILE_CHECK
    with non-zero weight configured, or a MISC_CHECK with "misc_dynamic",
    since otherwise there is no way that the weight of the real server can
    be changed to be non-zero.
    Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
 diff --git a/keepalived/check/ipwrapper.c b/keepalived/check/ipwrapper.c
 index a4c40d6c..4b9ccb6f 100644
 --- a/keepalived/check/ipwrapper.c
 +++ b/keepalived/check/ipwrapper.c
@@ -410,8 +410,8 @@ init_service_rs(virtual_server_t *vs)
 					rs->num_failed_checkers++;
 			}
 -			if (rs->effective_weight < 1)
 -				rs->weight = 1;
 +			if (rs->effective_weight < 0)
 +				rs->weight = 0;
 			else if (rs->effective_weight > IPVS_WEIGHT_MAX - 1)
 				rs->weight = IPVS_WEIGHT_MAX - 1;
 			else
@@ -667,9 +667,8 @@ update_svr_wgt(int weight, virtual_server_t * vs, real_server_t * rs
 {
 	rs->effective_weight = weight;
 -/* TODO - handle weight = 0 - ? affects quorum */
 -	if (weight <= 0)
 -		weight = 1;
 +	if (weight < 0)
 +		weight = 0;
 #if IPVS_WEIGHT_MAX != INT_MAX
 	else if (weight > IPVS_WEIGHT_MAX)
 		weight = IPVS_WEIGHT_MAX;
--- a/SPECS/keepalived.spec
+++ b/SPECS/keepalived.spec
@ -10,7 +10,7 @@
 Name: keepalived
 Summary: High Availability monitor built upon LVS, VRRP and service pollers
 Version: 2.1.5
-Release: 11%{?dist}
+Release: 9%{?dist}
 License: GPLv2+
 URL: http://www.keepalived.org/
 Group: System Environment/Daemons
@ -22,11 +22,6 @@ Patch1: bz1977716-revert-explicit-set-LOG_USER-facility.patch
 Patch2: bz1977716-use-LOG_DAEMON-facility-by-default.patch
 Patch3: bz2028350-fix-dbus-policy-restrictions.patch
 Patch4: bz2054249-fix-unweighted-track-scripts.patch
 Patch5: RHEL-49561-validate-ipset-names-better.patch
 Patch6: RHEL-7694-dep.patch
 Patch7: RHEL-7694.patch
 Patch8: RHEL-7699.patch
 Patch9: RHEL-66742.patch
 Requires(post): systemd
 Requires(preun): systemd
@ -66,11 +61,6 @@ infrastructures.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %build
 %configure \
@ -121,19 +111,6 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived
 %{_mandir}/man8/keepalived.8*
 %changelog
 * Fri Jan 31 2025 Christine Caulfield <ccaulfie@redhat.com> - 2.1.5-11
 - ipvs: Allow real servers to be specified with a weight of 0
  Resolves: RHEL-7699
 - vrrp: Fix using VMACs with unicast peers
  Resolves: RHEL-7694
 - lvs: if lost misc check child register checker again
  Resolves: RHEL-66742
 * Mon Dec  2 2024 Christine Caulfield <ccaulfie@redhat.com> - 2.1.5-10
 - CVE-2024-41184
  Resolves: RHEL-49561
 * Thu Jul 21 2022 Ryan O'Hara <rohara@redhat.com> - 2.1.5-9
 - Fix removal of unweighted track scripts from sync group (#2054249)