Regression #14383
closed
IPv6 CARP VIPs are not configured properly on interfaces, ``ifconfig`` error in system log
Added by Vladimir Suhhanov about 1 year ago.
Updated about 1 year ago.
Release Notes:
Force Exclusion
Affected Plus Version:
23.05
Affected Architecture:
amd64
Description
https://forum.netgate.com/topic/180051/ipv6-carp-seems-broken-on-23-05/4
Let's say you have a LAN with both IPV6 and IPV4 address types, let's say you want to create CARP addresses for later use. It is assumed that the LAN interface already has both address types configured. Go to the primary firewall and create VIP addresses for the LAN interface, both types, IPV4 and IPV6, save the settings. After saving the settings, check the system log for errors, on the version built on Sat May 13 23.05 there will be an error like:
/firewall_virtual_ip.php: The command '/sbin/ifconfig em1 alias 'ipv6 address' prefixlen '64' vhid '3' mcast6 advskew '100' advbase '1' pass 'password'' returned exit code '1', the output was 'ifconfig: fd05:34b9:d876:612e:0000:0000:0000:0001: bad value'
Accordingly, the address is not created, which is confirmed by the output ifconfig -vv
Also, on the dashboard, CARP status for this IP is just missing. This is fine, because IP does not exist. IPv6 looks completely broken.
If you enter on the command line
'/sbin/ifconfig em1 inet6 alias 'ipv6 address' prefixlen '64' vhid '3' mcast6 advskew '100' advbase '1' pass 'password''
There are no errors and the address is created. IP also gets status and CARP is working.
A similar configuration works without any problems on 23.01 version.
- Status changed from New to Confirmed
- Assignee set to Jim Pingle
- Target version set to 23.05
I can reproduce this here as well:
/firewall_virtual_ip.php: The command '/sbin/ifconfig vtnet0 alias '2001:db8::200' prefixlen '64' vhid '201' mcast6 advskew '1' advbase '1' pass 'abc123'' returned exit code '1', the output was 'ifconfig: 2001:db8::200: bad value'
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
- Tracker changed from Bug to Regression
- Subject changed from Adding IPv6 CARP interface produces an error 'ifconfig: <IPv6 address>: bad value' to IPv6 CARP VIPs are not configured properly on interfaces, ``ifconfig`` error in system log
- Release Notes changed from Default to Force Exclusion
Not a problem in a release, exclude from release notes.
The URL for that commit is private, it will be in the next build.
You can try this patch in the meantime, which is the same as what is at that commit URL.
diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc
index 3b100bb1048b394077c5f81ad59bf3b512440d27..85aa2f7b96b4545d5b9c26f0441fe3f298d9188b 100644
--- a/src/etc/inc/interfaces.inc
+++ b/src/etc/inc/interfaces.inc
@@ -3105,15 +3105,22 @@ function interface_carp_configure(&$vip, $ipalias_reload = false) {
if (is_ipaddrv4($vip['subnet'])) {
$subnet = escapeshellarg($vip['subnet']) . "/" . escapeshellarg($vip['subnet_bits']);
$mode = ($vip['carp_mode'] == 'ucast' ? "peer ". escapeshellarg($vip['carp_peer']) : " mcast");
+ $family = 'inet';
} elseif (is_ipaddrv6($vip['subnet'])) {
$subnet = escapeshellarg($vip['subnet']) . " prefixlen " . escapeshellarg($vip['subnet_bits']);
+ /* Add link local scope if not already present */
+ if (is_linklocal($vip['carp_peer']) &&
+ (strpos($vip['carp_peer'], '%') === false)) {
+ $vip['carp_peer'] = $vip['carp_peer'] . '%' . $realif;
+ }
$mode = ($vip['carp_mode'] == 'ucast' ? "peer6 ". escapeshellarg($vip['carp_peer']) : " mcast6");
+ $family = 'inet6';
} else {
log_error("VIP subnet {$vip['subnet']} on {$vip['interface']} is not a valid IP address");
return;
}
- mwexec("/sbin/ifconfig {$realif} alias {$subnet} vhid " . escapeshellarg($vip['vhid']) .
+ mwexec("/sbin/ifconfig {$realif} {$family} alias {$subnet} vhid " . escapeshellarg($vip['vhid']) .
" {$mode} {$advskew} {$advbase} {$password}");
/* reconfigure stacked IP Aliases after CARP VIP changes
diff --git a/src/etc/rc.filter_synchronize b/src/etc/rc.filter_synchronize
index c8a8b38a3fe773f4fee596e3d771076880bf5fec..21fb6398b7c2cfcbcf79186c53f666d86d399e7e 100755
--- a/src/etc/rc.filter_synchronize
+++ b/src/etc/rc.filter_synchronize
@@ -52,7 +52,14 @@ function backup_vip_config_section() {
}
if (!empty($section['carp_peer'])) {
- $if_addr = find_interface_ip(get_real_interface($section['interface']));
+ /* Use appropriate address family and type to match the peer */
+ if (is_ipaddrv4($section['carp_peer'])) {
+ $if_addr = find_interface_ip(get_real_interface($section['interface']));
+ } elseif (is_linklocal($section['carp_peer'])) {
+ $if_addr = find_interface_ipv6_ll(get_real_interface($section['interface']));
+ } elseif (is_ipaddrv6($section['carp_peer'])) {
+ $if_addr = find_interface_ipv6(get_real_interface($section['interface']));
+ }
if (!empty($if_addr)) {
$section['carp_peer'] = $if_addr;
}
Jim Pingle wrote in #note-7:
The URL for that commit is private, it will be in the next build.
You can try this patch in the meantime, which is the same as what is at that commit URL.
[...]
I confirm that after the patch everything works now without issues. Thanks, Jim!
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by