22 changed files with 705 additions and 555 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,41 @@
-SOURCES/keepalived-2.1.5.tar.gz
+/keepalived-1.2.9.tar.gz
 /keepalived-1.2.10.tar.gz
 /keepalived-1.2.11.tar.gz
 /keepalived-1.2.12.tar.gz
 /keepalived-1.2.13.tar.gz
 /keepalived-1.2.14.tar.gz
 /keepalived-1.2.15.tar.gz
 /keepalived-1.2.16.tar.gz
 /keepalived-1.2.17.tar.gz
 /keepalived-1.2.18.tar.gz
 /keepalived-1.2.19.tar.gz
 /keepalived-1.2.20.tar.gz
 /keepalived-1.2.21.tar.gz
 /keepalived-1.2.22.tar.gz
 /keepalived-1.2.23.tar.gz
 /keepalived-1.2.24.tar.gz
 /keepalived-1.3.2.tar.gz
 /keepalived-1.3.5.tar.gz
 /keepalived-1.3.6.tar.gz
 /keepalived-1.3.9.tar.gz
 /keepalived-1.4.0.tar.gz
 /keepalived-1.4.1.tar.gz
 /keepalived-1.4.2.tar.gz
 /keepalived-1.4.3.tar.gz
 /keepalived-1.4.4.tar.gz
 /keepalived-1.4.5.tar.gz
 /keepalived-2.0.5.tar.gz
 /keepalived-2.0.6.tar.gz
 /keepalived-2.0.10.tar.gz
 /keepalived-2.0.11.tar.gz
 /keepalived-2.0.12.tar.gz
 /keepalived-2.0.18.tar.gz
 /keepalived-2.0.19.tar.gz
 /keepalived-2.0.20.tar.gz
 /keepalived-2.1.5.tar.gz
 /keepalived-2.2.0.tar.gz
 /keepalived-2.2.1.tar.gz
 /keepalived-2.2.2.tar.gz
 /keepalived-2.2.3.tar.gz
 /keepalived-2.2.4.tar.gz
 /keepalived-2.2.8.tar.gz
--- a/.keepalived.metadata
+++ b/.keepalived.metadata
@ -1 +0,0 @@
 54128bc7b4f8b920028af4691be9013f25393a99 SOURCES/keepalived-2.1.5.tar.gz
--- a/RHEL-40520-1.patch
+++ b/RHEL-40520-1.patch
@ -0,0 +1,123 @@
 commit 707bbdf8fa27b34f23adaf35cec8cb9be5d8d18b
 Author: Quentin Armitage <quentin@armitage.org.uk>
 Date:   Sat Jan 27 15:32:41 2024 +0000
    vrrp: Check interface for static routes if deleted
    route_is_ours() checked the outgoing interface for virtual routes
    but not for static routes. This commit now adds checking of the
    outgoing interface for static routes, and now moves the code to
    compare routes into a separate function used for both virtual and
    static routes.
    Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
 diff --git a/keepalived/core/keepalived_netlink.c b/keepalived/core/keepalived_netlink.c
 index 1bde1e63..46598d90 100644
 --- a/keepalived/core/keepalived_netlink.c
 +++ b/keepalived/core/keepalived_netlink.c
@@ -260,6 +260,39 @@ compare_addr(int family, void *addr1, ip_address_t *addr2)
 	       addr1_p.in6->s6_addr32[3] != addr2->u.sin6_addr.s6_addr32[3];
 }
 +static bool
 +compare_route(struct rtattr *tb[RTA_MAX + 1], ip_route_t *route, uint32_t table, int family, int mask_len, uint32_t priority, uint8_t tos)
 +{
 +	union {
 +		struct in_addr in;
 +		struct in6_addr in6;
 +	} default_addr;
 +
 +	if (table != route->table ||
 +	    family != route->family ||
 +	    mask_len != route->dst->ifa.ifa_prefixlen ||
 +	    priority != route->metric ||
 +	    tos != route->tos)
 +		return false;
 +
 +	if (route->oif) {
 +		if (!tb[RTA_OIF] || route->oif->ifindex != *PTR_CAST(uint32_t, RTA_DATA(tb[RTA_OIF])))
 +			return false;
 +	} else {
 +		if (route->set && route->configured_ifindex &&
 +		    (!tb[RTA_OIF] || route->configured_ifindex != *PTR_CAST(uint32_t, RTA_DATA(tb[RTA_OIF]))))
 +			return false;
 +	}
 +
 +	if (!tb[RTA_DST])
 +		memset(&default_addr, 0, sizeof(default_addr));
 +
 +	if (compare_addr(family, tb[RTA_DST] ? RTA_DATA(tb[RTA_DST]) : &default_addr, route->dst))
 +		return false;
 +
 +	return true;
 +}
 +
 static ip_route_t *
 route_is_ours(struct rtmsg* rt, struct rtattr *tb[RTA_MAX + 1], vrrp_t** ret_vrrp)
 {
@@ -270,10 +303,6 @@ route_is_ours(struct rtmsg* rt, struct rtattr *tb[RTA_MAX + 1], vrrp_t** ret_vrr
 	uint8_t tos = rt->rtm_tos;
 	vrrp_t *vrrp;
 	ip_route_t *route;
 -	union {
 -		struct in_addr in;
 -		struct in6_addr in6;
 -	} default_addr;
 	*ret_vrrp = NULL;
@@ -284,48 +313,17 @@ route_is_ours(struct rtmsg* rt, struct rtattr *tb[RTA_MAX + 1], vrrp_t** ret_vrr
 	list_for_each_entry(vrrp, &vrrp_data->vrrp, e_list) {
 		list_for_each_entry(route, &vrrp->vroutes, e_list) {
 -			if (table != route->table ||
 -			    family != route->family ||
 -			    mask_len != route->dst->ifa.ifa_prefixlen ||
 -			    priority != route->metric ||
 -			    tos != route->tos)
 -				continue;
 -
 -			if (route->oif) {
 -				if (!tb[RTA_OIF] || route->oif->ifindex != *PTR_CAST(uint32_t, RTA_DATA(tb[RTA_OIF])))
 -					continue;
 -			} else {
 -				if (route->set && route->configured_ifindex &&
 -				    (!tb[RTA_OIF] || route->configured_ifindex != *PTR_CAST(uint32_t, RTA_DATA(tb[RTA_OIF]))))
 -					continue;
 +			if (compare_route(tb, route, table, family, mask_len, priority, tos)) {
 +				*ret_vrrp = vrrp;
 +				return route;
 			}
 -
 -			if (!tb[RTA_DST])
 -				memset(&default_addr, 0, sizeof(default_addr));
 -
 -			if (compare_addr(family, tb[RTA_DST] ? RTA_DATA(tb[RTA_DST]) : &default_addr, route->dst))
 -				continue;
 -
 -			*ret_vrrp = vrrp;
 -			return route;
 		}
 	}
 	/* Now check the static routes */
 	list_for_each_entry(route, &vrrp_data->static_routes, e_list) {
 -		if (table != route->table ||
 -		    family != route->family ||
 -		    mask_len != route->dst->ifa.ifa_prefixlen ||
 -		    tos != route->tos)
 -			continue;
 -
 -		if (!tb[RTA_DST])
 -			memset(&default_addr, 0, sizeof(default_addr));
 -
 -		if (compare_addr(family, tb[RTA_DST] ? RTA_DATA(tb[RTA_DST]) : &default_addr, route->dst))
 -			continue;
 -
 -		return route;
 +		if (compare_route(tb, route, table, family, mask_len, priority, tos))
 +			return route;
 	}
 	return NULL;
--- a/RHEL-40520-2.patch
+++ b/RHEL-40520-2.patch
@ -0,0 +1,126 @@
 commit a205e87ecd856f45ff7f84066edebca831738704
 Author: Quentin Armitage <quentin@armitage.org.uk>
 Date:   Sun Jun 9 17:07:18 2024 +0100
    vrrp: remove need for route to have configured interface to track it
    If a virtual route did not have an interface configured, keepalived would
    log a warning saying that it could not track the route, and then would
    disable tracking of that route.
    It appears that it is not necessary to know the interface in order to track
    the route, and in any event the netlink message received after adding the
    route identifies the interface for the route if it is appropriate.
    So this commit removes the requirement to specify an interface in order to
    track a route.
    Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
 diff --git a/keepalived/core/keepalived_netlink.c b/keepalived/core/keepalived_netlink.c
 index 198d0e10..da3596fd 100644
 --- a/keepalived/core/keepalived_netlink.c
 +++ b/keepalived/core/keepalived_netlink.c
@@ -276,9 +276,10 @@ compare_route(struct rtattr *tb[RTA_MAX + 1], ip_route_t *route, uint32_t table,
 	if (route->oif) {
 		if (!tb[RTA_OIF] || route->oif->ifindex != *PTR_CAST(uint32_t, RTA_DATA(tb[RTA_OIF])))
 			return false;
 -	} else {
 -		if (route->set && route->configured_ifindex &&
 -		    (!tb[RTA_OIF] || route->configured_ifindex != *PTR_CAST(uint32_t, RTA_DATA(tb[RTA_OIF]))))
 +	} else if (route->set) {
 +		if (!tb[RTA_OIF] != !route->configured_ifindex)
 +			return false;
 +		if (tb[RTA_OIF] && route->configured_ifindex != *PTR_CAST(uint32_t, RTA_DATA(tb[RTA_OIF])))
 			return false;
 	}
@@ -2360,9 +2361,8 @@ netlink_route_filter(__attribute__((unused)) struct sockaddr_nl *snl, struct nlm
 			route->configured_ifindex = *PTR_CAST(uint32_t, RTA_DATA(tb[RTA_OIF]));
 			if (route->oif && route->oif->ifindex != route->configured_ifindex)
 				log_message(LOG_INFO, "route added index %" PRIu32 " != config index %u", route->configured_ifindex, route->oif->ifindex);
 -		}
 -		else
 -			log_message(LOG_INFO, "New route doesn't have i/f index");
 +		} else
 +			route->configured_ifindex = 0;
 		return 0;
 	}
 diff --git a/keepalived/vrrp/vrrp.c b/keepalived/vrrp/vrrp.c
 index 9486f935..2970591b 100644
 --- a/keepalived/vrrp/vrrp.c
 +++ b/keepalived/vrrp/vrrp.c
@@ -1764,7 +1764,7 @@ vrrp_restore_interface(vrrp_t * vrrp, bool advF, bool force)
 	/* remove virtual routes */
 	if (!list_empty(&vrrp->vroutes))
 -		vrrp_handle_iproutes(vrrp, IPROUTE_DEL, false);
 +		vrrp_handle_iproutes(vrrp, IPROUTE_DEL, force);
 	/* empty the delayed arp list */
 	vrrp_remove_delayed_arp(vrrp);
 diff --git a/keepalived/vrrp/vrrp_iproute.c b/keepalived/vrrp/vrrp_iproute.c
 index c2791945..91311800 100644
 --- a/keepalived/vrrp/vrrp_iproute.c
 +++ b/keepalived/vrrp/vrrp_iproute.c
@@ -531,9 +531,10 @@ netlink_rtlist(list_head_t *rt_list, int cmd, bool force)
 	list_for_each_entry(ip_route, rt_list, e_list) {
 		if ((cmd == IPROUTE_DEL) == ip_route->set || force) {
 -			if (!netlink_route(ip_route, cmd))
 -				ip_route->set = (cmd == IPROUTE_ADD);
 -			else if (cmd != IPROUTE_ADD)
 +			if (!netlink_route(ip_route, cmd)) {
 +				if (cmd == IPROUTE_DEL)
 +					ip_route->set = false;
 +			} else if (cmd != IPROUTE_ADD)
 				ip_route->set = false;
 		}
 	}
@@ -1871,21 +1872,6 @@ alloc_route(list_head_t *rt_list, const vector_t *strvec, bool allow_track_group
 			report_config_error(CONFIG_GENERAL_ERROR, "Route cannot be tracked if protocol is not RTPROT_KEEPALIVED(%d), resetting protocol", RTPROT_KEEPALIVED);
 		new->protocol = RTPROT_KEEPALIVED;
 		new->mask |= IPROUTE_BIT_PROTOCOL;
 -
 -		if (!new->oif) {
 -			/* Alternative is to track oif from when route last added.
 -			 * The interface will need to be added temporarily. tracking_obj_t will need
 -			 * a flag to specify permanent track, and a counter for number of temporary
 -			 * trackers. If the termporary tracker count becomes 0 and there is no permanent
 -			 * track, then the tracking_obj_t will need to be removed.
 -			 *
 -			 * We also have a problem if using nexthop, since the route will only be deleted
 -			 * when the interfaces for all of the hops have gone down. We would need to track
 -			 * all of the interfaces being used, and only mark the route as down if all the
 -			 * interfaces are down. */
 -			report_config_error(CONFIG_GENERAL_ERROR, "Warning - cannot track route %s with no interface specified, not tracking", dest);
 -			new->dont_track = true;
 -		}
 	}
 	if (new->track_group && !new->oif) {
 diff --git a/keepalived/vrrp/vrrp_scheduler.c b/keepalived/vrrp/vrrp_scheduler.c
 index fc40d59d..8c1747c6 100644
 --- a/keepalived/vrrp/vrrp_scheduler.c
 +++ b/keepalived/vrrp/vrrp_scheduler.c
@@ -65,6 +65,8 @@
 #ifdef _WITH_LVS_
 #include "ipvswrapper.h"
 #endif
 +#include "keepalived_netlink.h"
 +
 /* For load testing recvmsg() */
 /* #define DEBUG_RECVMSG */
@@ -266,7 +268,9 @@ vrrp_init_state(list_head_t *l)
 #endif
 			/* Set interface state */
 -			vrrp_restore_interface(vrrp, false, false);
 +			netlink_error_ignore = ESRCH;		// returned if route does not exist
 +			vrrp_restore_interface(vrrp, false, true);
 +			netlink_error_ignore = 0;
 			if (is_up &&
 			    new_state != VRRP_STATE_FAULT &&
 			    !vrrp->num_script_init &&
--- a/RHEL-81939-check-child-register-again.patch
+++ b/RHEL-81939-check-child-register-again.patch
--- a/SOURCES/RHEL-7694-dep.patch
+++ b/SOURCES/RHEL-7694-dep.patch
@ -1,23 +0,0 @@
 commit 4a56ddf74b310d75c31bb98fee6f6789b04f6891
 Author: Quentin Armitage <quentin@armitage.org.uk>
 Date:   Mon Jul 20 07:03:54 2020 +0100
    vrrp: Fix building without VMAC support
    Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
 diff --git a/keepalived/vrrp/vrrp_parser.c b/keepalived/vrrp/vrrp_parser.c
 index 1d19c684..3e05f698 100644
 --- a/keepalived/vrrp/vrrp_parser.c
 +++ b/keepalived/vrrp/vrrp_parser.c
@@ -412,9 +412,9 @@ vrrp_handler(const vector_t *strvec)
 static void
 vrrp_end_handler(void)
 {
 -#ifdef _HAVE_VRRP_VMAC_
 	vrrp_t *vrrp = list_last_entry(&vrrp_data->vrrp, vrrp_t, e_list);
 +#ifdef _HAVE_VRRP_VMAC_
 	if (!list_empty(&vrrp->unicast_peer) && vrrp->vmac_flags) {
 		report_config_error(CONFIG_GENERAL_ERROR, "(%s): Cannot use VMAC/ipvlan with unicast peers - clearing use_vmac", vrrp->iname);
 		vrrp->vmac_flags = 0;
--- a/SOURCES/RHEL-7694.patch
+++ b/SOURCES/RHEL-7694.patch
@ -1,97 +0,0 @@
 commit 97429b3b7e6ec2f5b9c93a5d507b152bab30f919
 Author: Quentin Armitage <quentin@armitage.org.uk>
 Date:   Wed Sep 16 15:35:44 2020 +0100
    vrrp: Fix using VMACs with unicast peers
    Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
 diff --git a/doc/man/man5/keepalived.conf.5 b/doc/man/man5/keepalived.conf.5
 index e6b230c6..83a5915f 100644
 --- a/doc/man/man5/keepalived.conf.5
 +++ b/doc/man/man5/keepalived.conf.5
@@ -1359,6 +1359,8 @@ The syntax for vrrp_instance is :
     # all.rp_filter, as will default.rp_filter, and all.rp_filter
     # will be set to 0.
     # The original settings are restored on termination.
 +    # \fBNOTE 2\fR: If using use_vmac with unicast peers,
 +    # vmac_xmit_base must be set.
     \fBuse_vmac \fR[<VMAC_INTERFACE>]
     # Send/Recv VRRP messages from base interface instead of
 diff --git a/keepalived/vrrp/vrrp_parser.c b/keepalived/vrrp/vrrp_parser.c
 index 5cf1eea1..d1e2d8ea 100644
 --- a/keepalived/vrrp/vrrp_parser.c
 +++ b/keepalived/vrrp/vrrp_parser.c
@@ -416,9 +416,14 @@ vrrp_end_handler(void)
 #ifdef _HAVE_VRRP_VMAC_
 	if (!list_empty(&vrrp->unicast_peer) && vrrp->vmac_flags) {
 -		report_config_error(CONFIG_GENERAL_ERROR, "(%s): Cannot use VMAC/ipvlan with unicast peers - clearing use_vmac", vrrp->iname);
 -		vrrp->vmac_flags = 0;
 -		vrrp->vmac_ifname[0] = '\0';
 +		if (!vrrp->ifp) {
 +			report_config_error(CONFIG_GENERAL_ERROR, "(%s): Cannot use VMAC/ipvlan with unicast peers and no interface - clearing use_vmac", vrrp->iname);
 +			vrrp->vmac_flags = 0;
 +			vrrp->vmac_ifname[0] = '\0';
 +		} else if (!__test_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags)) {
 +			report_config_error(CONFIG_GENERAL_ERROR, "(%s) unicast with use_vmac requires vmac_xmit_base - setting", vrrp->iname);
 +			__set_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags);
 +		}
 	}
 #endif
 diff --git a/keepalived/vrrp/vrrp_scheduler.c b/keepalived/vrrp/vrrp_scheduler.c
 index 2fb859e1..d9271720 100644
 --- a/keepalived/vrrp/vrrp_scheduler.c
 +++ b/keepalived/vrrp/vrrp_scheduler.c
@@ -459,17 +459,17 @@ vrrp_create_sockpool(list_head_t *l)
 	struct sockaddr_storage *unicast_src;
 	list_for_each_entry(vrrp, &vrrp_data->vrrp, e_list) {
 -		if (list_empty(&vrrp->unicast_peer)) {
 -			ifp =
 -#ifdef _HAVE_VRRP_VMAC_
 -			      (__test_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags)) ? vrrp->configured_ifp :
 -#endif
 -											vrrp->ifp;
 +		if (list_empty(&vrrp->unicast_peer))
 			unicast_src = NULL;
 -		} else {
 +		else
 			unicast_src = &vrrp->saddr;
 -			ifp = vrrp->ifp;
 -		}
 +
 +		ifp =
 +#ifdef _HAVE_VRRP_VMAC_
 +		      (__test_bit(VRRP_VMAC_XMITBASE_BIT, &vrrp->vmac_flags)) ? vrrp->configured_ifp :
 +#endif
 +										vrrp->ifp;
 +
 		proto = IPPROTO_VRRP;
 #if defined _WITH_VRRP_AUTH_
 		if (vrrp->auth_type == VRRP_AUTH_AH)
@@ -607,13 +607,6 @@ vrrp_lower_prio_gratuitous_arp_thread(thread_ref_t thread)
 	vrrp_send_link_update(vrrp, vrrp->garp_lower_prio_rep);
 }
 -static void
 -vrrp_master(vrrp_t * vrrp)
 -{
 -	/* Send the VRRP advert */
 -	vrrp_state_master_tx(vrrp);
 -}
 -
 void
 try_up_instance(vrrp_t *vrrp, bool leaving_init)
 {
@@ -802,7 +795,7 @@ vrrp_dispatcher_read_timeout(sock_t *sock)
 			vrrp_goto_master(vrrp);
 		}
 		else if (vrrp->state == VRRP_STATE_MAST)
 -			vrrp_master(vrrp);
 +			vrrp_state_master_tx(vrrp);
 		/* handle instance synchronization */
 #ifdef _TSM_DEBUG_
--- a/SOURCES/RHEL-7699.patch
+++ b/SOURCES/RHEL-7699.patch
@ -1,40 +0,0 @@
 commit e2b4d108d68ada3af8ad437e2e291fcac1fd0ff7
 Author: Quentin Armitage <quentin@armitage.org.uk>
 Date:   Tue Oct 20 11:24:48 2020 +0100
    ipvs: Allow real servers to be specified with a weight of 0
    This currently only really makes sense when also having a FILE_CHECK
    with non-zero weight configured, or a MISC_CHECK with "misc_dynamic",
    since otherwise there is no way that the weight of the real server can
    be changed to be non-zero.
    Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
 diff --git a/keepalived/check/ipwrapper.c b/keepalived/check/ipwrapper.c
 index a4c40d6c..4b9ccb6f 100644
 --- a/keepalived/check/ipwrapper.c
 +++ b/keepalived/check/ipwrapper.c
@@ -410,8 +410,8 @@ init_service_rs(virtual_server_t *vs)
 					rs->num_failed_checkers++;
 			}
 -			if (rs->effective_weight < 1)
 -				rs->weight = 1;
 +			if (rs->effective_weight < 0)
 +				rs->weight = 0;
 			else if (rs->effective_weight > IPVS_WEIGHT_MAX - 1)
 				rs->weight = IPVS_WEIGHT_MAX - 1;
 			else
@@ -667,9 +667,8 @@ update_svr_wgt(int weight, virtual_server_t * vs, real_server_t * rs
 {
 	rs->effective_weight = weight;
 -/* TODO - handle weight = 0 - ? affects quorum */
 -	if (weight <= 0)
 -		weight = 1;
 +	if (weight < 0)
 +		weight = 0;
 #if IPVS_WEIGHT_MAX != INT_MAX
 	else if (weight > IPVS_WEIGHT_MAX)
 		weight = IPVS_WEIGHT_MAX;
--- a/SOURCES/bz1977716-revert-explicit-set-LOG_USER-facility.patch
+++ b/SOURCES/bz1977716-revert-explicit-set-LOG_USER-facility.patch
@ -1,55 +0,0 @@
 From ff476e860e91c1a814ac038ee16790a2a5b950af Mon Sep 17 00:00:00 2001
 From: Quentin Armitage <quentin@armitage.org.uk>
 Date: Mon, 18 Jan 2021 14:38:15 +0000
 Subject: [PATCH 1/2] Revert "Explicitly set LOG_USER log facility when
 syslogging"
 This reverts commit db3bcf7b891881e8e70954424f0fe88ec7d37ce0.
 This commit was just plain wrong. The facility should default to
 LOG_DAEMON (see keepalived(8) man page), but if --log-facility is
 specified, that is the facility to which log entries should be logged.
 ---
 lib/logger.c | 5 +----
 lib/logger.h | 2 +-
 2 files changed, 2 insertions(+), 5 deletions(-)
 diff --git a/lib/logger.c b/lib/logger.c
 index a0cc2048..34c83f32 100644
 --- a/lib/logger.c
 +++ b/lib/logger.c
@@ -133,7 +133,7 @@ block_signals(sigset_t *cur_set)
 #endif
 void
 -vlog_message(int facility, const char* format, va_list args)
 +vlog_message(const int facility, const char* format, va_list args)
 {
 #ifndef HAVE_SIGNALFD
 	sigset_t cur_set;
@@ -213,9 +213,6 @@ vlog_message(int facility, const char* format, va_list args)
 			restore_signals = true;
 #endif
 -		if (!(facility & LOG_FACMASK))
 -			facility |= LOG_USER;
 -
 #if HAVE_VSYSLOG
 		vsyslog(facility, format, args);
 #else
 diff --git a/lib/logger.h b/lib/logger.h
 index 7536536a..20b2a7e4 100644
 --- a/lib/logger.h
 +++ b/lib/logger.h
@@ -44,7 +44,7 @@ extern void open_log_file(const char *, const char *, const char *, const char *
 extern void flush_log_file(void);
 extern void update_log_file_perms(mode_t);
 #endif
 -extern void vlog_message(int facility, const char* format, va_list args)
 +extern void vlog_message(const int facility, const char* format, va_list args)
 	__attribute__ ((format (printf, 2, 0)));
 extern void log_message(int priority, const char* format, ...)
 	__attribute__ ((format (printf, 2, 3)));
 -- 
 2.31.1
--- a/SOURCES/bz1977716-use-LOG_DAEMON-facility-by-default.patch
+++ b/SOURCES/bz1977716-use-LOG_DAEMON-facility-by-default.patch
@ -1,165 +0,0 @@
 From 75ea1d31c17f4bb3a73590167658310bc9f67149 Mon Sep 17 00:00:00 2001
 From: Quentin Armitage <quentin@armitage.org.uk>
 Date: Mon, 18 Jan 2021 14:57:30 +0000
 Subject: [PATCH 2/2] all: log to LOG_DAEMON facility by default
 keepalived(8) man page states that the default log facility is LOG_DAEMON.
 Commit db3bcf7 - "Explicitly set LOG_USER log facility when syslogging"
 incorrectly set the facility to LOG_USER, and that has now been reverted.
 However, with that reverted, by default the VRRP process logs to LOG_LOCAL1
 and the checker and BFD processes log to LOG_LOCAL2, contrary to the
 documentation.
 Since no-one has commented that logs were not going to LOG_LOCAL1/2 since
 commit db3bcf7 (April 28 2020), it is safe to assume that no-one was relying
 on that. This commit therefore reverts to the documentation and by default
 logs everything to the LOG_DAEMON facility.
 Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
 ---
 keepalived/bfd/bfd_daemon.c     |  3 +--
 keepalived/check/check_daemon.c |  3 +--
 keepalived/core/main.c          |  7 +++----
 keepalived/include/main.h       |  1 -
 keepalived/vrrp/vrrp_daemon.c   |  3 +--
 lib/logger.c                    |  2 ++
 lib/logger.h                    | 10 ++++++++++
 7 files changed, 18 insertions(+), 11 deletions(-)
 diff --git a/keepalived/bfd/bfd_daemon.c b/keepalived/bfd/bfd_daemon.c
 index cf74eee3..47d87892 100644
 --- a/keepalived/bfd/bfd_daemon.c
 +++ b/keepalived/bfd/bfd_daemon.c
@@ -396,8 +396,7 @@ start_bfd_child(void)
 	/* Opening local BFD syslog channel */
 	if (!__test_bit(NO_SYSLOG_BIT, &debug))
 -		openlog(syslog_ident, LOG_PID | ((__test_bit(LOG_CONSOLE_BIT, &debug)) ? LOG_CONS : 0)
 -				    , (log_facility==LOG_DAEMON) ? LOG_LOCAL2 : log_facility);
 +		open_syslog(syslog_ident);
 #ifdef ENABLE_LOG_TO_FILE
 	if (log_file_name)
 diff --git a/keepalived/check/check_daemon.c b/keepalived/check/check_daemon.c
 index 5e03cc4c..63bdf07b 100644
 --- a/keepalived/check/check_daemon.c
 +++ b/keepalived/check/check_daemon.c
@@ -689,8 +689,7 @@ start_check_child(void)
 	/* Opening local CHECK syslog channel */
 	if (!__test_bit(NO_SYSLOG_BIT, &debug))
 -		openlog(syslog_ident, LOG_PID | ((__test_bit(LOG_CONSOLE_BIT, &debug)) ? LOG_CONS : 0)
 -				    , (log_facility==LOG_DAEMON) ? LOG_LOCAL2 : log_facility);
 +		open_syslog(syslog_ident);
 #ifdef ENABLE_LOG_TO_FILE
 	if (log_file_name)
 diff --git a/keepalived/core/main.c b/keepalived/core/main.c
 index be4488ea..756b2f12 100644
 --- a/keepalived/core/main.c
 +++ b/keepalived/core/main.c
@@ -149,7 +149,6 @@ static const struct child_term children_term[] = {
 /* global var */
 const char *version_string = VERSION_STRING;		/* keepalived version */
 const char *conf_file = KEEPALIVED_CONFIG_FILE;		/* Configuration file */
 -int log_facility = LOG_DAEMON;				/* Optional logging facilities */
 bool reload;						/* Set during a reload */
 const char *main_pidfile;				/* overrule default pidfile */
 static bool free_main_pidfile;
@@ -2087,7 +2086,7 @@ keepalived_main(int argc, char **argv)
 	umask(umask_val);
 	/* Open log with default settings so we can log initially */
 -	openlog(PACKAGE_NAME, LOG_PID, log_facility);
 +	open_syslog(PACKAGE_NAME);
 #ifdef _MEM_CHECK_
 	mem_log_init(PACKAGE_NAME, "Parent process");
@@ -2128,7 +2127,7 @@ keepalived_main(int argc, char **argv)
 	if (parse_cmdline(argc, argv)) {
 		closelog();
 		if (!__test_bit(NO_SYSLOG_BIT, &debug))
 -			openlog(PACKAGE_NAME, LOG_PID | ((__test_bit(LOG_CONSOLE_BIT, &debug)) ? LOG_CONS : 0) , log_facility);
 +			open_syslog(PACKAGE_NAME);
 	}
 	if (__test_bit(LOG_CONSOLE_BIT, &debug))
@@ -2212,7 +2211,7 @@ keepalived_main(int argc, char **argv)
 		if ((syslog_ident = make_syslog_ident(PACKAGE_NAME))) {
 			log_message(LOG_INFO, "Changing syslog ident to %s", syslog_ident);
 			closelog();
 -			openlog(syslog_ident, LOG_PID | ((__test_bit(LOG_CONSOLE_BIT, &debug)) ? LOG_CONS : 0), log_facility);
 +			open_syslog(syslog_ident);
 		}
 		else
 			log_message(LOG_INFO, "Unable to change syslog ident");
 diff --git a/keepalived/include/main.h b/keepalived/include/main.h
 index 3e013bb6..6a34797b 100644
 --- a/keepalived/include/main.h
 +++ b/keepalived/include/main.h
@@ -51,7 +51,6 @@ enum daemon_bits {
 extern const char *version_string;	/* keepalived version */
 extern unsigned long daemon_mode;	/* Which child processes are run */
 extern const char *conf_file;		/* Configuration file */
 -extern int log_facility;		/* Optional logging facilities */
 #ifdef _WITH_VRRP_
 extern pid_t vrrp_child;		/* VRRP child process ID */
 extern const char *vrrp_pidfile;	/* overrule default pidfile */
 diff --git a/keepalived/vrrp/vrrp_daemon.c b/keepalived/vrrp/vrrp_daemon.c
 index baa5f5f2..e22f8a81 100644
 --- a/keepalived/vrrp/vrrp_daemon.c
 +++ b/keepalived/vrrp/vrrp_daemon.c
@@ -974,8 +974,7 @@ start_vrrp_child(void)
 		syslog_ident = PROG_VRRP;
 	if (!__test_bit(NO_SYSLOG_BIT, &debug))
 -		openlog(syslog_ident, LOG_PID | ((__test_bit(LOG_CONSOLE_BIT, &debug)) ? LOG_CONS : 0)
 -				    , (log_facility==LOG_DAEMON) ? LOG_LOCAL1 : log_facility);
 +		open_syslog(syslog_ident);
 #ifdef ENABLE_LOG_TO_FILE
 	if (log_file_name)
 diff --git a/lib/logger.c b/lib/logger.c
 index 34c83f32..7fad8ac6 100644
 --- a/lib/logger.c
 +++ b/lib/logger.c
@@ -40,6 +40,8 @@
 /* Boolean flag - send messages to console as well as syslog */
 static bool log_console = false;
 +int log_facility = LOG_DAEMON;				/* Optional logging facilities */
 +
 #ifdef ENABLE_LOG_TO_FILE
 /* File to write log messages to */
 const char *log_file_name;
 diff --git a/lib/logger.h b/lib/logger.h
 index 20b2a7e4..c6f29138 100644
 --- a/lib/logger.h
 +++ b/lib/logger.h
@@ -30,8 +30,13 @@
 #include <sys/stat.h>
 #endif
 +#include "bitops.h"
 +#include "utils.h"
 +
 #define	MAX_LOG_MSG	255
 +extern int log_facility;		/* Optional logging facilities */
 +
 #ifdef ENABLE_LOG_TO_FILE
 extern const char *log_file_name;
 #endif
@@ -51,4 +56,9 @@ extern void log_message(int priority, const char* format, ...)
 extern void conf_write(FILE *fp, const char *format, ...)
 	__attribute__ ((format (printf, 2, 3)));
 +static inline void
 +open_syslog(const char *ident)
 +{
 +	openlog(ident, LOG_PID | ((__test_bit(LOG_CONSOLE_BIT, &debug)) ? LOG_CONS : 0), log_facility);
 +}
 #endif
 -- 
 2.31.1
--- a/SOURCES/bz2028350-fix-dbus-policy-restrictions.patch
+++ b/SOURCES/bz2028350-fix-dbus-policy-restrictions.patch
@ -1,41 +0,0 @@
 From 763eaa49343acdda5ff359012e8cc49c9ffc8e81 Mon Sep 17 00:00:00 2001
 From: Vincent Bernat <vincent@bernat.ch>
 Date: Tue, 23 Nov 2021 06:50:59 +0100
 Subject: [PATCH] dbus: fix policy to not be overly broad
 The DBus policy did not restrict the message destination, allowing any
 user to inspect and manipulate any property.
 Signed-off-by: Vincent Bernat <vincent@bernat.ch>
 ---
 keepalived/dbus/org.keepalived.Vrrp1.conf | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)
 diff --git a/keepalived/dbus/org.keepalived.Vrrp1.conf b/keepalived/dbus/org.keepalived.Vrrp1.conf
 index 2b78a575..b5ced608 100644
 --- a/keepalived/dbus/org.keepalived.Vrrp1.conf
 +++ b/keepalived/dbus/org.keepalived.Vrrp1.conf
@@ -3,12 +3,15 @@
  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
 	<policy user="root">
 -		<allow own="org.keepalived.Vrrp1"/>
 -		<allow send_destination="org.keepalived.Vrrp1"/>
 +		<allow own="org.keepalived.Vrrp1" />
 +		<allow send_destination="org.keepalived.Vrrp1" />
 	</policy>
 	<policy context="default">
 -		<allow send_interface="org.freedesktop.DBus.Introspectable" />
 -		<allow send_interface="org.freedesktop.DBus.Peer" />
 -		<allow send_interface="org.freedesktop.DBus.Properties" />
 +		<allow send_destination="org.keepalived.Vrrp1"
 +		       send_interface="org.freedesktop.DBus.Introspectable" />
 +		<allow send_destination="org.keepalived.Vrrp1"
 +		       send_interface="org.freedesktop.DBus.Peer" />
 +		<allow send_destination="org.keepalived.Vrrp1"
 +		       send_interface="org.freedesktop.DBus.Properties" />
 	</policy>
 </busconfig>
 -- 
 2.33.1
--- a/SOURCES/bz2054249-fix-unweighted-track-scripts.patch
+++ b/SOURCES/bz2054249-fix-unweighted-track-scripts.patch
@ -1,41 +0,0 @@
 From d93b2051641ebfc4c5dcdc405ed0f26b9bcaa65a Mon Sep 17 00:00:00 2001
 From: Quentin Armitage <quentin@armitage.org.uk>
 Date: Sat, 25 Jul 2020 10:13:32 +0100
 Subject: [PATCH] vrrp: Don't remove unweighted track scripts from sync group
 members
 Commit 3390697 - "vrrp: rewrote framework using list_head_t design"
 cleared the track_script list for any vrrp instance that was in a
 sync group. This was due to the old list structure allocating memory
 which had to be freed if the list was empty, but that is no longer
 the case with list_head.
 Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
 ---
 keepalived/vrrp/vrrp.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 diff --git a/keepalived/vrrp/vrrp.c b/keepalived/vrrp/vrrp.c
 index c8967eef..c7ded6b4 100644
 --- a/keepalived/vrrp/vrrp.c
 +++ b/keepalived/vrrp/vrrp.c
@@ -3406,7 +3406,7 @@ vrrp_complete_instance(vrrp_t * vrrp)
 		free_track_if_list(&vrrp->track_ifp);
 		/* Ignore any weighted script */
 -		list_for_each_entry_safe(sc, sc_tmp, &vrrp->track_script,e_list) {
 +		list_for_each_entry_safe(sc, sc_tmp, &vrrp->track_script, e_list) {
 			if (sc->weight) {
 				report_config_error(CONFIG_GENERAL_ERROR, "(%s) ignoring "
 									  "tracked script %s with weights due to %s"
@@ -3417,7 +3417,6 @@ vrrp_complete_instance(vrrp_t * vrrp)
 				free_track_script(sc);
 			}
 		}
 -		free_track_script_list(&vrrp->track_script);
 		/* Set tracking files to unweighted if weight not explicitly set, otherwise ignore */
 		list_for_each_entry_safe(tfl, tfl_tmp, &vrrp->track_file, e_list) {
 -- 
 2.33.1
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,6 @@
 --- !Policy
 product_versions:
  - rhel-9
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/keepalived.init
+++ b/keepalived.init
@ -0,0 +1,110 @@
 #!/bin/sh
 #
 # keepalived   High Availability monitor built upon LVS and VRRP
 #
 # chkconfig:   - 86 14
 # description: Robust keepalive facility to the Linux Virtual Server project \
 #              with multilayer TCP/IP stack checks.
 ### BEGIN INIT INFO
 # Provides: keepalived
 # Required-Start: $local_fs $network $named $syslog
 # Required-Stop: $local_fs $network $named $syslog
 # Should-Start: smtpdaemon httpd
 # Should-Stop: smtpdaemon httpd
 # Default-Start: 
 # Default-Stop: 0 1 2 3 4 5 6
 # Short-Description: High Availability monitor built upon LVS and VRRP
 # Description:       Robust keepalive facility to the Linux Virtual Server
 #                    project with multilayer TCP/IP stack checks.
 ### END INIT INFO
 # Source function library.
 . /etc/rc.d/init.d/functions
 exec="/usr/sbin/keepalived"
 prog="keepalived"
 config="/etc/keepalived/keepalived.conf"
 [ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
 lockfile=/var/lock/subsys/$prog
 start() {
    [ -x $exec ] || exit 5
    [ -e $config ] || exit 6
    echo -n $"Starting $prog: "
    daemon $exec $KEEPALIVED_OPTIONS
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
 }
 stop() {
    echo -n $"Stopping $prog: "
    killproc $prog
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
 }
 restart() {
    stop
    start
 }
 reload() {
    echo -n $"Reloading $prog: "
    killproc $prog -1
    retval=$?
    echo
    return $retval
 }
 force_reload() {
    restart
 }
 rh_status() {
    status $prog
 }
 rh_status_q() {
    rh_status &>/dev/null
 }
 case "$1" in
    start)
        rh_status_q && exit 0
        $1
        ;;
    stop)
        rh_status_q || exit 0
        $1
        ;;
    restart)
        $1
        ;;
    reload)
        rh_status_q || exit 7
        $1
        ;;
    force-reload)
        force_reload
        ;;
    status)
        rh_status
        ;;
    condrestart|try-restart)
        rh_status_q || exit 0
        restart
        ;;
    *)
        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
        exit 2
 esac
 exit $?
--- a/SOURCES/keepalived.service
+++ b/SOURCES/keepalived.service
@ -4,11 +4,12 @@ After=network-online.target syslog.target
 Wants=network-online.target
 [Service]
-Type=forking
+Type=notify
-PIDFile=/var/run/keepalived.pid
+NotifyAccess=all
 PIDFile=/run/keepalived.pid
 KillMode=process
 EnvironmentFile=-/etc/sysconfig/keepalived
-ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS
+ExecStart=/usr/sbin/keepalived --dont-fork $KEEPALIVED_OPTIONS
 ExecReload=/bin/kill -HUP $MAINPID
 [Install]
--- a/SPECS/keepalived.spec
+++ b/SPECS/keepalived.spec
@ -1,7 +1,8 @@
 %bcond_without snmp
 %bcond_without vrrp
 %bcond_without sha1
-%bcond_with iptables
+%bcond_without json
 %bcond_without nftables
 %bcond_with profile
 %bcond_with debug
@ -9,24 +10,17 @@
 Name: keepalived
 Summary: High Availability monitor built upon LVS, VRRP and service pollers
-Version: 2.1.5
+Version: 2.2.8
-Release: 11%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 URL: http://www.keepalived.org/
 Group: System Environment/Daemons
 Source0: http://www.keepalived.org/software/keepalived-%{version}.tar.gz
 Source1: keepalived.service
-
+Patch0: validate-ipset-names-better.patch
-Patch1: bz1977716-revert-explicit-set-LOG_USER-facility.patch
+Patch1: RHEL-81939-check-child-register-again.patch
-Patch2: bz1977716-use-LOG_DAEMON-facility-by-default.patch
+Patch2: RHEL-40520-1.patch
-Patch3: bz2028350-fix-dbus-policy-restrictions.patch
+Patch3: RHEL-40520-2.patch
 Patch4: bz2054249-fix-unweighted-track-scripts.patch
 Patch5: RHEL-49561-validate-ipset-names-better.patch
 Patch6: RHEL-7694-dep.patch
 Patch7: RHEL-7694.patch
 Patch8: RHEL-7699.patch
 Patch9: RHEL-66742.patch
 Requires(post): systemd
 Requires(preun): systemd
@ -35,16 +29,21 @@ Requires(postun): systemd
 %if %{with snmp}
 BuildRequires: net-snmp-devel
 %endif
-%if %{with iptables}
+%if %{with nftables}
 BuildRequires: libmnl-devel
 BuildRequires: libnftnl-devel
 %else
 BuildRequires: ipset-devel
 BuildRequires: iptables-devel
 %endif
 BuildRequires: gcc
 BuildRequires: automake
 BuildRequires: systemd-units
 BuildRequires: systemd-devel
 BuildRequires: openssl-devel
 BuildRequires: libnl3-devel
 BuildRequires: libnfnetlink-devel
 BuildRequires: file-devel
 BuildRequires: make
 %description
 Keepalived provides simple and robust facilities for load balancing
@ -61,25 +60,17 @@ can be used independently or all together to provide resilient
 infrastructures.
 %prep
-%setup -q
+%autosetup -p1
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %build
 %configure \
    %{?with_debug:--enable-debug} \
    %{?with_profile:--enable-profile} \
    %{!?with_vrrp:--disable-vrrp} \
    %{!?with_iptables:--disable-libiptc --disable-ipset} \
    %{?with_snmp:--enable-snmp --enable-snmp-rfc} \
    %{?with_nftables:--enable-nftables --disable-iptables} \
    %{?with_sha1:--enable-sha1} \
    %{?with_json:--enable-json} \
    --with-init=systemd
 %{__make} %{?_smp_mflags} STRIP=/bin/true
@ -88,6 +79,8 @@ rm -rf %{buildroot}
 make install DESTDIR=%{buildroot}
 rm -rf %{buildroot}%{_initrddir}/
 rm -rf %{buildroot}%{_sysconfdir}/keepalived/samples/
 mv %{buildroot}%{_sysconfdir}/keepalived/keepalived.conf.sample \
   %{buildroot}%{_sysconfdir}/keepalived/keepalived.conf
 %{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/keepalived.service
 mkdir -p %{buildroot}%{_libexecdir}/keepalived
@ -101,7 +94,6 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived
 %systemd_postun_with_restart keepalived.service
 %files
 %defattr(-,root,root,-)
 %attr(0755,root,root) %{_sbindir}/keepalived
 %config(noreplace) %attr(0644,root,root) %{_sysconfdir}/sysconfig/keepalived
 %config(noreplace) %attr(0644,root,root) %{_sysconfdir}/keepalived/keepalived.conf
@ -121,77 +113,158 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived
 %{_mandir}/man8/keepalived.8*
 %changelog
 * Mon May 12 2025 Christine Caulfield <ccaulfie@redhat.com> - 2.2.8-6
 - fix "Keepalived claims that blackhole route doesn't have interface and can't be tracked"
  Resolves: RHEL-40520
-* Fri Jan 31 2025 Christine Caulfield <ccaulfie@redhat.com> - 2.1.5-11
+* Mon Mar 10 2025 Christine Caulfield <ccaulfie@redhat.com> - 2.2.8-5
 - ipvs: Allow real servers to be specified with a weight of 0
  Resolves: RHEL-7699
 - vrrp: Fix using VMACs with unicast peers
  Resolves: RHEL-7694
 - lvs: if lost misc check child register checker again
-  Resolves: RHEL-66742
+  Resolves: RHEL-81939
-* Mon Dec  2 2024 Christine Caulfield <ccaulfie@redhat.com> - 2.1.5-10
+* Mon Dec  2 2024 Christine Caulfield <ccaulfie@redhat.com> - 2.2.8-4
- CVE-2024-41184
+- Better validation of ipsetnames for CVE-2024-41184
-  Resolves: RHEL-49561
+  Resolves: RHEL-49558
-* Thu Jul 21 2022 Ryan O'Hara <rohara@redhat.com> - 2.1.5-9
+* Fri Jun 30 2023 Ryan O'Hara <rohara@redhat.com> - 2.2.8-2
- Fix removal of unweighted track scripts from sync group (#2054249)
+- Fix keepalived.conf installation (#2215308)
-* Tue Jan 18 2022 Ryan O'Hara <rohara@redhat.com> - 2.1.5-8
+* Thu Jun 15 2023 Ryan O'Hara <rohara@redhat.com> - 2.2.8-1
- Fix DBus policy restrictions (#2028350, CVE-2021-44225)
+- Update to 2.2.8 (#2215308)
-* Fri Oct 29 2021 Ryan O'Hara <rohara@redhat.com> - 2.1.5-7
+* Fri Dec 23 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-6
- Fix log-facility option (#197716)
+- Fix unterminated endif in previous patch (#2134749)
-* Tue Dec 15 2020 Ryan O'Hara <rohara@redhat.com> - 2.1.5-6
+* Thu Dec 22 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-5
- Fix changelog
+- Fix memory leak in https checks (#2134749)
-* Tue Oct 20 2020 Ryan O'Hara <rohara@redhat.com> - 2.1.5-5
+* Thu Dec 22 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-4
- Update to 2.1.5 (#1889440)
+- Fix variable substitution in consditional lines (#2101493)
 - Fix intermittent child lost messages (#1868077)
 * Tue Jun 16 2020 Ryan O'Hara <rohara@redhat.com> - 2.0.10-11
 - Fix vrrp_script execution (#1683438)
-* Mon Feb 24 2020 Ryan O'Hara <rohara@redhat.com> - 2.0.10-10
+* Thu Dec 22 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-3
- Disable libiptc/ipset (#1806642)
+- Enable JSON support (#2129819)
-* Thu Jan 30 2020 Ryan O'Hara <rohara@redhat.com> - 2.0.10-9
+* Mon Feb 21 2022 Ryan O'Hara <rohara@redhat.com> - 2.2.4-2
- Fix FAULT state when interface is renamed (#1792160)
+- Fix DBus policy restrictions (#2028351, CVE-2021-44225)
-* Mon Jul 08 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.10-7
+* Mon Aug 23 2021 Ryan O'Hara <rohara@redhat.com> - 2.2.4-1
- Add gating tests (#1682114)
+- Update to 2.2.4 (#1968596)
-* Wed May 01 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.10-6
+* Mon Aug 16 2021 Ryan O'Hara <rohara@redhat.com> - 2.2.3-2
- Fix segfault when smtp alerts configured (#1693706)
+- Add gating tests (#1968596)
 - Fix double free when smtp_helo_name copied from local_name (#1693706)
-* Wed Mar 27 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.10-5
+* Mon Aug 16 2021 Ryan O'Hara <rohara@redhat.com> - 2.2.3-1
- Bump release nummber (#1688892)
+- Update to 2.2.3 (#1968596)
-* Mon Mar 18 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.10-3
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com>
- Rework fix for OpenSSL initialization segfault (#1688892)
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
-* Fri Mar 15 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.10-2
+* Sat Aug 07 2021 Ryan O'Hara <rohara@redhat.com> - 2.2.2-5
- Fix OpenSSL initialization segfault (#1688892)
+- Ignore badfuncs error in rpminspect (#1968596)
 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.2-4
 - Rebuilt for RHEL 9 BETA for openssl 3.0
  Related: rhbz#1971065
 * Tue Jun 08 2021 Ryan O'Hara <rohara@redhat.com> - 2.2.2-3
 - Add systemd notify support (#1968596)
 * Tue Jun 08 2021 Ryan O'Hara <rohara@redhat.com> - 2.2.2-2
 - Fix build errors (#1968596)
 * Mon Jun 07 2021 Ryan O'Hara <rohara@redhat.com> - 2.2.2-1
 - Update to 2.2.2 (#1968596)
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.1-3
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Mon Jan 18 2021 Ryan O'Hara <rohara@redhat.com> - 2.2.1-1
 - Update to 2.2.1 (#1917152)
 * Thu Jan 14 2021 Ryan O'Hara <rohara@redhat.com> - 2.2.0-1
 - Update to 2.2.0 (#1914512)
 * Thu Aug 27 2020 Josef Řídký <jridky@redhat.com> - 2.1.5-3
 - Rebuilt for new net-snmp release
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.5-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Wed Jul 15 2020 Ryan O'Hara <rohara@redhat.com> - 2.1.5-1
 - Update to 2.1.5 (#1794135)
 * Tue Feb 18 2020 Ryan O'Hara <rohara@redhat.com> - 2.0.20-3
 - Build with nftables support instead of iptables
 * Thu Feb 13 2020 Ryan O'Hara <rohara@redhat.com> - 2.0.20-2
 - Remove unused patches
 * Wed Feb 12 2020 Ryan O'Hara <rohara@redhat.com> - 2.0.20-1
 - Update to 2.0.20 (#1794135)
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.19-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Tue Nov 12 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.19-4
 - Fix file descriptor errors on reload
 * Tue Nov 12 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.19-3
 - Fix track_process with PIDs over 32767 (#1770766)
 * Wed Nov 06 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.19-2
 - Enable nftables support (#1769278)
 * Wed Nov 06 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.19-1
 - Update to 2.0.19 (#1763424)
 * Tue Jul 30 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.18-2
 - Change pidfile directory (#1712730)
 * Tue Jul 30 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.18-1
 - Update to 2.0.18 (#1678397)
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.12-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Tue Jun 25 2019 Björn Esser <besser82@fedoraproject.org> - 2.0.12-2
 - Rebuilt (iptables)
 * Mon Feb 04 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.12-1
 - Update to 2.0.12 (#1576138)
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.11-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Wed Jan 09 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.11-1
 - Update to 2.0.11
 * Mon Nov 26 2018 Ryan O'Hara <rohara@redhat.com> - 2.0.10-1
- Update to 2.0.10 (#1631816)
+- Update to 2.0.10
-
+- Fix improper pathname validation (#1651864, CVE-2018-19044)
-* Mon Oct 08 2018 Ryan O'Hara <rohara@redhat.com> - 2.0.7-2
+- Fix insecure permissions when creating temporary files (#1651868, CVE-2018-19045)
- Remove BuildRequires for ipset-devel
+- Fix insecure use of temporary files (#1651870, CVE-2018-19046)
-
+- Fix buffer overflow when parsing HTTP status codes (#1651873, CVE-2018-19047)
 * Tue Oct 02 2018 Ryan O'Hara <rohara@redhat.com> - 2.0.7-1
 - Update to 2.0.7 (#1631816)
 * Thu Aug 09 2018 Josef Ridky <jridky@redhat.com> - 2.0.6-2
 - Rebuild for Net-SNMP
 * Wed Jul 25 2018 Ryan O'Hara <rohara@redhat.com> - 2.0.6-1
- Update to 2.0.6
+- Update to 2.0.6 (#1576138)
 * Tue Jul 24 2018 Adam Williamson <awilliam@redhat.com> - 2.0.5-3
 - Rebuild for new net-snmp
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.5-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Tue Jul 03 2018 Ryan O'Hara <rohara@redhat.com> - 2.0.5-1
- Update to 2.0.5
+- Update to 2.0.5 (#1576138)
 * Mon Jul 02 2018 Ryan O'Hara <rohara@redhat.com> - 1.4.5-1
 - Update to 1.4.5
 * Thu May 10 2018 Ryan O'Hara <rohara@redhat.com> - 1.4.4-1
 - Update to 1.4.4 (#1576138)
 * Thu Apr 19 2018 Ryan O'Hara <rohara@redhat.com> - 1.4.3-1
 - Update to 1.4.3 (#1565388)
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -0,0 +1,3 @@
 ---
 inspections:
    badfuncs: off
--- a/1
+++ b/1
@ -0,0 +1 @@
 SHA512 (keepalived-2.2.8.tar.gz) = dc0ab5b0ef8911a7859422eccc2771a40e942236c855a628158ed748eb5f7dc4b6f4850e9c3057e81fd9d2daa640ab51fb1d7af12748a613280a217b333eb06b
--- a/tests/keepalived.conf.in
+++ b/tests/keepalived.conf.in
@ -0,0 +1,17 @@
 global_defs {
    router_id TEST
 }
 vrrp_instance VRRP {
    state MASTER
    priority 100
    advert_int 1
    interface eth0
    virtual_router_id 100
    virtual_ipaddress {
        $VIP_INCLUDE
    }
    virtual_ipaddress_excluded {
        $VIP_EXCLUDE
    }
 }
--- a/tests/run_tests.sh
+++ b/tests/run_tests.sh
@ -0,0 +1,91 @@
 #!/bin/sh
 export VIP_INCLUDE="192.168.1.101"
 export VIP_EXCLUDE="192.168.1.102"
 echo -ne "[debug]: setting up config file ... "
 envsubst '${VIP_INCLUDE},${VIP_EXCLUDE}' < ./keepalived.conf.in > /etc/keepalived/keepalived.conf
 if [ $? -ne 0 ] ; then
    echo "FAIL"
    exit 1
 else
    echo "OK"
 fi
 echo -ne "[debug]: starting service ... "
 systemctl start keepalived
 if [ $? -ne 0 ] ; then
    echo "FAIL"
    exit 1
 else
    echo "OK"
 fi
 echo -ne "[debug]: checking service active ... "
 systemctl -q is-active keepalived
 if [ $? -ne 0 ] ; then
    echo "FAIL"
    exit 1
 else
    echo "OK"
 fi
 sleep 5
 echo -ne "[debug]: checking included VIP ... "
 ip addr show eth0 | grep -q ${VIP_INCLUDE}
 if [ $? -ne 0 ] ; then
    echo "FAIL"
    exit 1
 else
    echo "OK"
 fi
 echo -ne "[debug]: checking excluded VIP ... "
 ip addr show eth0 | grep -q ${VIP_EXCLUDE}
 if [ $? -ne 0 ] ; then
    echo "FAIL"
    exit 1
 else
    echo "OK"
 fi
 echo -ne "[debug]: stopping service ... "
 systemctl stop keepalived
 if [ $? -ne 0 ] ; then
    echo "FAIL"
    exit 1
 else
    echo "OK"
 fi
 echo -ne "[debug]: checking service inactive ... "
 systemctl -q is-active keepalived
 if [ $? -ne 3 ] ; then
    echo "FAIL"
    exit 1
 else
    echo "OK"
 fi
 sleep 5
 echo -ne "[debug]: checking include VIP ... "
 ip addr show eth0 | grep -q ${VIP_INCLUDE}
 if [ $? -ne 1 ] ; then
    echo "FAIL"
    exit 1
 else
    echo "OK"
 fi
 echo -ne "[debug]: checking exclude VIP ... "
 ip addr show eth0 | grep -q ${VIP_EXCLUDE}
 if [ $? -ne 1 ] ; then
    echo "FAIL"
    exit 1
 else
    echo "OK"
 fi
 exit 0
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -0,0 +1,11 @@
 - hosts: localhost
  roles:
  - role: standard-test-basic
    tags:
    - classic
    tests:
    - simple:
        dir: .
        run: ./run_tests.sh
    required_packages:
     - gettext
--- a/SOURCES/RHEL-49561-validate-ipset-names-better.patch
+++ b/SOURCES/RHEL-49561-validate-ipset-names-better.patch
@ -1,7 +1,19 @@
-diff -ur keepalived-2.1.5/keepalived/core/global_parser.c keepalived-2.1.5.patched/keepalived/core/global_parser.c
+Version of this patch from upstream
--- keepalived-2.1.5/keepalived/core/global_parser.c	2020-07-10 17:41:46.000000000 +0100
+
-+++ keepalived-2.1.5.patched/keepalived/core/global_parser.c	2024-12-02 14:06:44.469215491 +0000
+--- keepalived-2.2.8/keepalived/core/commit e78513fe0ce5d83c226ea2c0bd222f375c2438e7
-@@ -955,6 +955,22 @@
+Author: Quentin Armitage <quentin@armitage.org.uk>
 Date:   Fri Jul 12 15:16:47 2024 +0100
    vrrp: Handle empty ipset names with vrrp_ipsets keyword
    We now handle empty ipset names and return a config error.
    Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
 global_parser.c	2023-04-01 18:39:25.000000000 +0100
 +++ keepalived-2.2.8.patched/keepalived/core/global_parser.c	2024-11-28 08:56:17.445615602 +0000
@@ -1086,6 +1086,22 @@
 	}
 }
 #ifdef _HAVE_LIBIPSET_
@ -24,7 +36,7 @@ diff -ur keepalived-2.1.5/keepalived/core/global_parser.c keepalived-2.1.5.patch
 static void
 vrrp_ipsets_handler(const vector_t *strvec)
 {
-@@ -974,17 +990,13 @@
+@@ -1103,17 +1119,13 @@
 		return;
 	}
@ -44,7 +56,7 @@ diff -ur keepalived-2.1.5/keepalived/core/global_parser.c keepalived-2.1.5.patch
 		global_data->vrrp_ipset_address6 = STRDUP(strvec_slot(strvec,2));
 	}
 	else {
-@@ -995,10 +1007,8 @@
+@@ -1124,10 +1136,8 @@
 		global_data->vrrp_ipset_address6 = STRDUP(set_name);
 	}
 	if (vector_size(strvec) >= 4) {
@ -56,9 +68,9 @@ diff -ur keepalived-2.1.5/keepalived/core/global_parser.c keepalived-2.1.5.patch
 		global_data->vrrp_ipset_address_iface6 = STRDUP(strvec_slot(strvec,3));
 	}
 	else {
-@@ -1014,10 +1024,8 @@
+@@ -1142,10 +1152,8 @@
 	}
 #ifdef HAVE_IPSET_ATTR_IFACE
 	if (vector_size(strvec) >= 5) {
 -		if (strlen(strvec_slot(strvec,4)) >= IPSET_MAXNAMELEN - 1) {
 -			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IGMP name too long - ignored");
@ -68,7 +80,7 @@ diff -ur keepalived-2.1.5/keepalived/core/global_parser.c keepalived-2.1.5.patch
 		global_data->vrrp_ipset_igmp = STRDUP(strvec_slot(strvec,4));
 	}
 	else {
-@@ -1028,10 +1036,8 @@
+@@ -1156,10 +1164,8 @@
 		global_data->vrrp_ipset_igmp = STRDUP(set_name);
 	}
 	if (vector_size(strvec) >= 6) {
@ -80,4 +92,3 @@ diff -ur keepalived-2.1.5/keepalived/core/global_parser.c keepalived-2.1.5.patch
 		global_data->vrrp_ipset_mld = STRDUP(strvec_slot(strvec,5));
 	}
 	else {
 Only in keepalived-2.1.5.patched/keepalived/core: global_parser.c.orig
		`@ -1 +0,0 @@`
			`54128bc7b4f8b920028af4691be9013f25393a99 SOURCES/keepalived-2.1.5.tar.gz`
		`@ -0,0 +1 @@`
							`SHA512 (keepalived-2.2.8.tar.gz) = dc0ab5b0ef8911a7859422eccc2771a40e942236c855a628158ed748eb5f7dc4b6f4850e9c3057e81fd9d2daa640ab51fb1d7af12748a613280a217b333eb06b`