Project

General

Profile

Actions
Copy link

Bug #14392

closed

``find_interface_ipv6_ll()`` can return a VIP instead of the interface address

Added by Jim Pingle 12 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
Interfaces
Target version:
2.7.1
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

While looking at #14383 and #14385 I noticed that find_interface_ipv6_ll() would return the last link local address on an interface instead of the first, and as a consequence, it would return the interface address before a VIP was added, but would return a VIP when run later. This inconsistency makes it unsuitable for use for finding the LL address of the firewall itself rather than what could potentially be a shared CARP VIP. For example, when attempting to determine what address an HA cluster peer should communicate with.

I can see some use in the current behavior, however, since some cases may want to latch onto a VIP for local services, so perhaps the behavior should be optional (e.g. a new function parameter to conditionally exclude VIPs).

For reference, this is what the LAN interface of a lab cluster system looks like:

: ifconfig vtnet1
vtnet1: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: LAN
    options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
    ether f2:65:47:9c:58:a8
    inet6 fe80::f065:47ff:fe9c:58a8%vtnet1 prefixlen 64 scopeid 0x2
    inet6 2001:db8:1:df30::2 prefixlen 64
    inet6 2001:db8:1:df30::1 prefixlen 64 vhid 2
    inet6 2001:db8:1:df30::4 prefixlen 64 vhid 5
    inet6 fe80::1:10%vtnet1 prefixlen 64 scopeid 0x2 vhid 10
    inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
    inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 vhid 1
    inet 192.168.1.4 netmask 0xffffffff broadcast 192.168.1.4 vhid 4
    carp: MASTER vhid 1 advbase 1 advskew 1
          peer 224.0.0.18 peer6 ff02::12
    carp: MASTER vhid 4 advbase 1 advskew 1
          peer 192.168.1.3 peer6 ff02::12
    carp: MASTER vhid 2 advbase 1 advskew 1
          peer 224.0.0.18 peer6 ff02::12
    carp: MASTER vhid 5 advbase 1 advskew 1
          peer 224.0.0.18 peer6 2001:db8:1:df30::3
    carp: MASTER vhid 10 advbase 1 advskew 1
          peer 224.0.0.18 peer6 2001:db8:1:df30::3
    media: Ethernet autoselect (10Gbase-T <full-duplex>)
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Note that it has both its own LL address plus an LL CARP VIP.

Now try to fetch the LL address of the interface:

var_dump( find_interface_ipv6_ll('vtnet1') );

And it gets the VIP back instead:

string(17) "fe80::1:10%vtnet1"

Flipping the behavior to use the first and not last can be changed by adding a break; after locating an LL address on the interface, though as we've seen in the past (#11545) that alone may not be sufficient to ensure a VIP is never selected.

Actions
Copy link
 #1

Updated by Jim Pingle 9 months ago

  • Assignee set to Jim Pingle
  • Target version changed from CE-Next to 2.8.0
Actions
Copy link
 #2

Updated by Jim Pingle 9 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #3

Updated by Jim Pingle 8 months ago

  • Status changed from Feedback to Resolved

Works as expected on snapshots. A unicast CARP VIP peer syncs via XMLRPC and uses the expected LL address when fixing up the peer for the other node.

Before this change it was putting the VIP address in which made it fail.

Actions
Copy link
 #4

Updated by Jim Pingle 6 months ago

  • Target version changed from 2.8.0 to 2.7.1
Actions
Copy link

Also available in: Atom PDF