Project

General

Profile

Actions
Copy link

Bug #14392

closed

``find_interface_ipv6_ll()`` can return a VIP instead of the interface address

Added by Jim Pingle over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
Interfaces
Target version:
2.7.1
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

While looking at #14383 and #14385 I noticed that find_interface_ipv6_ll() would return the last link local address on an interface instead of the first, and as a consequence, it would return the interface address before a VIP was added, but would return a VIP when run later. This inconsistency makes it unsuitable for use for finding the LL address of the firewall itself rather than what could potentially be a shared CARP VIP. For example, when attempting to determine what address an HA cluster peer should communicate with.

I can see some use in the current behavior, however, since some cases may want to latch onto a VIP for local services, so perhaps the behavior should be optional (e.g. a new function parameter to conditionally exclude VIPs).

For reference, this is what the LAN interface of a lab cluster system looks like:

: ifconfig vtnet1
vtnet1: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: LAN
    options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
    ether f2:65:47:9c:58:a8
    inet6 fe80::f065:47ff:fe9c:58a8%vtnet1 prefixlen 64 scopeid 0x2
    inet6 2001:db8:1:df30::2 prefixlen 64
    inet6 2001:db8:1:df30::1 prefixlen 64 vhid 2
    inet6 2001:db8:1:df30::4 prefixlen 64 vhid 5
    inet6 fe80::1:10%vtnet1 prefixlen 64 scopeid 0x2 vhid 10
    inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
    inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 vhid 1
    inet 192.168.1.4 netmask 0xffffffff broadcast 192.168.1.4 vhid 4
    carp: MASTER vhid 1 advbase 1 advskew 1
          peer 224.0.0.18 peer6 ff02::12
    carp: MASTER vhid 4 advbase 1 advskew 1
          peer 192.168.1.3 peer6 ff02::12
    carp: MASTER vhid 2 advbase 1 advskew 1
          peer 224.0.0.18 peer6 ff02::12
    carp: MASTER vhid 5 advbase 1 advskew 1
          peer 224.0.0.18 peer6 2001:db8:1:df30::3
    carp: MASTER vhid 10 advbase 1 advskew 1
          peer 224.0.0.18 peer6 2001:db8:1:df30::3
    media: Ethernet autoselect (10Gbase-T <full-duplex>)
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Note that it has both its own LL address plus an LL CARP VIP.

Now try to fetch the LL address of the interface:

var_dump( find_interface_ipv6_ll('vtnet1') );

And it gets the VIP back instead:

string(17) "fe80::1:10%vtnet1"

Flipping the behavior to use the first and not last can be changed by adding a break; after locating an LL address on the interface, though as we've seen in the past (#11545) that alone may not be sufficient to ensure a VIP is never selected.

Actions
Copy link

Also available in: Atom PDF