From 0070dc841b104d4e4d11dfd37511b58c0fc5f197 Mon Sep 17 00:00:00 2001 From: Simon Kirby Date: Thu, 29 Feb 2024 15:43:44 -0800 Subject: [PATCH] vrrp: For use_vmac and use_ipvlan, copy the group from the base interface It is useful in many instances to set up firewall rules based on interface groups so that sets of interfaces may be aggregated by group and matched with a single rule rather than by listing them all. Prior to this change, when use_vmac or use_ipvlan is used, new interfaces are created with the default group, which breaks this ability. Further complicating the issue is that nftables resolves interface names to ifindex at load time. This is problematic with keepalived's interface creation, which usually comes after the firewall loading, forcing the use of iifname, oifname instead (similar to iptables -i, -o). By copying the group value, such firewall rules can continue to work regardless of the use_vmac or use_ipvlan settings, since packets may now arrive on, or be routed out from, the new interfaces. Signed-off-by: Simon Kirby --- keepalived/vrrp/vrrp_vmac.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/keepalived/vrrp/vrrp_vmac.c b/keepalived/vrrp/vrrp_vmac.c index 86ff25d1ad..b8c90ae5e7 100644 --- a/keepalived/vrrp/vrrp_vmac.c +++ b/keepalived/vrrp/vrrp_vmac.c @@ -277,6 +277,7 @@ netlink_link_add_vmac(vrrp_t *vrrp, const interface_t *old_interface) struct rtattr *linkinfo; struct rtattr *data; interface_t *ifp; + uint32_t group; bool create_interface = true; struct { struct nlmsghdr n; @@ -386,6 +387,14 @@ netlink_link_add_vmac(vrrp_t *vrrp, const interface_t *old_interface) addattr32(&req.n, sizeof(req), IFLA_LINK, vrrp->configured_ifp->ifindex); addattr_l(&req.n, sizeof(req), IFLA_IFNAME, vrrp->vmac_ifname, strlen(vrrp->vmac_ifname)); } + + /* + * Copy the group from the base interface to allow firewall rules + * (iptables devgroup or nftables iifgroup, oifgroup) to continue + * working regardless of the use_vmac setting. + */ + group = vrrp->configured_ifp->base_ifp->group; + addattr_l(&req.n, sizeof(req), IFLA_GROUP, &group, sizeof(group)); addattr_l(&req.n, sizeof(req), IFLA_ADDRESS, if_ll_addr, ETH_ALEN); #ifdef _HAVE_VRF_