Regression #14383
closedIPv6 CARP VIPs are not configured properly on interfaces, ``ifconfig`` error in system log
100%
Description
https://forum.netgate.com/topic/180051/ipv6-carp-seems-broken-on-23-05/4
Let's say you have a LAN with both IPV6 and IPV4 address types, let's say you want to create CARP addresses for later use. It is assumed that the LAN interface already has both address types configured. Go to the primary firewall and create VIP addresses for the LAN interface, both types, IPV4 and IPV6, save the settings. After saving the settings, check the system log for errors, on the version built on Sat May 13 23.05 there will be an error like:
/firewall_virtual_ip.php: The command '/sbin/ifconfig em1 alias 'ipv6 address' prefixlen '64' vhid '3' mcast6 advskew '100' advbase '1' pass 'password'' returned exit code '1', the output was 'ifconfig: fd05:34b9:d876:612e:0000:0000:0000:0001: bad value'
Accordingly, the address is not created, which is confirmed by the output ifconfig -vv
Also, on the dashboard, CARP status for this IP is just missing. This is fine, because IP does not exist. IPv6 looks completely broken.
If you enter on the command line
'/sbin/ifconfig em1 inet6 alias 'ipv6 address' prefixlen '64' vhid '3' mcast6 advskew '100' advbase '1' pass 'password''
There are no errors and the address is created. IP also gets status and CARP is working.
A similar configuration works without any problems on 23.01 version.
Updated by Jim Pingle over 1 year ago
- Status changed from New to Confirmed
- Assignee set to Jim Pingle
- Target version set to 23.05
I can reproduce this here as well:
/firewall_virtual_ip.php: The command '/sbin/ifconfig vtnet0 alias '2001:db8::200' prefixlen '64' vhid '201' mcast6 advskew '1' advbase '1' pass 'abc123'' returned exit code '1', the output was 'ifconfig: 2001:db8::200: bad value'
Updated by Jim Pingle over 1 year ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Fixed in https://gitlab.netgate.com/pfSense/factory/-/commit/7694007e9570faecfd7150206bd029fba2bb4bf0
There is one caveat, which is that using an IPv6 LL sync peer doesn't work for unicast CARP. Using non-LL addresses is OK. The VIP itself can be LL, but the sync peer has to be non-LL. See #14385 for details on that.
Updated by Jim Pingle over 1 year ago
- Tracker changed from Bug to Regression
- Subject changed from Adding IPv6 CARP interface produces an error 'ifconfig: <IPv6 address>: bad value' to IPv6 CARP VIPs are not configured properly on interfaces, ``ifconfig`` error in system log
- Release Notes changed from Default to Force Exclusion
Not a problem in a release, exclude from release notes.
Updated by Vladimir Suhhanov over 1 year ago
Jim Pingle wrote in #note-2:
Fixed in https://gitlab.netgate.com/pfSense/factory/-/commit/7694007e9570faecfd7150206bd029fba2bb4bf0
There is one caveat, which is that using an IPv6 LL sync peer doesn't work for unicast CARP. Using non-LL addresses is OK. The VIP itself can be LL, but the sync peer has to be non-LL. See #14385 for details on that.
Excuse me, Jim, is this a link to Netgate internal gitlab? I can't open it
Updated by Jim Pingle over 1 year ago
Vladimir Suhhanov wrote in #note-4:
Jim Pingle wrote in #note-2:
Fixed in https://gitlab.netgate.com/pfSense/factory/-/commit/7694007e9570faecfd7150206bd029fba2bb4bf0
There is one caveat, which is that using an IPv6 LL sync peer doesn't work for unicast CARP. Using non-LL addresses is OK. The VIP itself can be LL, but the sync peer has to be non-LL. See #14385 for details on that.
Excuse me, Jim, is this a link to Netgate internal gitlab? I can't open it
No, it's public. I can access it even without being logged in. https://redmine.pfsense.org/issues/14385
Updated by Vladimir Suhhanov over 1 year ago
Jim Pingle wrote in #note-5:
Vladimir Suhhanov wrote in #note-4:
Jim Pingle wrote in #note-2:
Fixed in https://gitlab.netgate.com/pfSense/factory/-/commit/7694007e9570faecfd7150206bd029fba2bb4bf0
There is one caveat, which is that using an IPv6 LL sync peer doesn't work for unicast CARP. Using non-LL addresses is OK. The VIP itself can be LL, but the sync peer has to be non-LL. See #14385 for details on that.
Excuse me, Jim, is this a link to Netgate internal gitlab? I can't open it
No, it's public. I can access it even without being logged in. https://redmine.pfsense.org/issues/14385
I mean this link https://gitlab.netgate.com/pfSense/factory/-/commit/7694007e9570faecfd7150206bd029fba2bb4bf0
Will this commit be added in the next build? How to test?
Updated by Jim Pingle over 1 year ago
The URL for that commit is private, it will be in the next build.
You can try this patch in the meantime, which is the same as what is at that commit URL.
diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc
index 3b100bb1048b394077c5f81ad59bf3b512440d27..85aa2f7b96b4545d5b9c26f0441fe3f298d9188b 100644
--- a/src/etc/inc/interfaces.inc
+++ b/src/etc/inc/interfaces.inc
@@ -3105,15 +3105,22 @@ function interface_carp_configure(&$vip, $ipalias_reload = false) {
if (is_ipaddrv4($vip['subnet'])) {
$subnet = escapeshellarg($vip['subnet']) . "/" . escapeshellarg($vip['subnet_bits']);
$mode = ($vip['carp_mode'] == 'ucast' ? "peer ". escapeshellarg($vip['carp_peer']) : " mcast");
+ $family = 'inet';
} elseif (is_ipaddrv6($vip['subnet'])) {
$subnet = escapeshellarg($vip['subnet']) . " prefixlen " . escapeshellarg($vip['subnet_bits']);
+ /* Add link local scope if not already present */
+ if (is_linklocal($vip['carp_peer']) &&
+ (strpos($vip['carp_peer'], '%') === false)) {
+ $vip['carp_peer'] = $vip['carp_peer'] . '%' . $realif;
+ }
$mode = ($vip['carp_mode'] == 'ucast' ? "peer6 ". escapeshellarg($vip['carp_peer']) : " mcast6");
+ $family = 'inet6';
} else {
log_error("VIP subnet {$vip['subnet']} on {$vip['interface']} is not a valid IP address");
return;
}
- mwexec("/sbin/ifconfig {$realif} alias {$subnet} vhid " . escapeshellarg($vip['vhid']) .
+ mwexec("/sbin/ifconfig {$realif} {$family} alias {$subnet} vhid " . escapeshellarg($vip['vhid']) .
" {$mode} {$advskew} {$advbase} {$password}");
/* reconfigure stacked IP Aliases after CARP VIP changes
diff --git a/src/etc/rc.filter_synchronize b/src/etc/rc.filter_synchronize
index c8a8b38a3fe773f4fee596e3d771076880bf5fec..21fb6398b7c2cfcbcf79186c53f666d86d399e7e 100755
--- a/src/etc/rc.filter_synchronize
+++ b/src/etc/rc.filter_synchronize
@@ -52,7 +52,14 @@ function backup_vip_config_section() {
}
if (!empty($section['carp_peer'])) {
- $if_addr = find_interface_ip(get_real_interface($section['interface']));
+ /* Use appropriate address family and type to match the peer */
+ if (is_ipaddrv4($section['carp_peer'])) {
+ $if_addr = find_interface_ip(get_real_interface($section['interface']));
+ } elseif (is_linklocal($section['carp_peer'])) {
+ $if_addr = find_interface_ipv6_ll(get_real_interface($section['interface']));
+ } elseif (is_ipaddrv6($section['carp_peer'])) {
+ $if_addr = find_interface_ipv6(get_real_interface($section['interface']));
+ }
if (!empty($if_addr)) {
$section['carp_peer'] = $if_addr;
}
Updated by Vladimir Suhhanov over 1 year ago
Jim Pingle wrote in #note-7:
The URL for that commit is private, it will be in the next build.
You can try this patch in the meantime, which is the same as what is at that commit URL.
[...]
I confirm that after the patch everything works now without issues. Thanks, Jim!