Project

General

Profile

Todo #4858

Finish/fix CARP uniqid changes

Added by Chris Buechler almost 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
CARP
Target version:
Start date:
07/21/2015
Due date:
% Done:

100%

Estimated time:

Description

The changes made in 89f171b052fbe72aed654d2a1c3d5a24e9bf9902 need review and completion. Need to verify OpenVPN bound to gateway groups with CARP IPs is working as well. Fixed in RELENG_2_2 in 6eb520938c518a958f09db67e5e9eba2dbdc02d2.

Associated revisions

Revision a5bed5a2 (diff)
Added by Luiz Souza over 3 years ago

Convert CARP interface name to uniqid notation. Ticket #4858

Revision 815decf9 (diff)
Added by Luiz Souza over 3 years ago

Make is_ipaddr_configured() work with CARP.

Check against the correct variable. Ticket #4858

Revision cbbb068d (diff)
Added by Luiz Souza over 3 years ago

Fix the uniqid corruption and the IP conflict when editing an existent CARP IP. Ticket #4858

Revision e686a73f (diff)
Added by Luiz Souza over 3 years ago

Fix get_carp_interface_status() to work with uniqid notation and also, verify the CARP vhid and not only the interface (when you have more than one CARP IP on the same interface). Ticket #4858

Revision f92ea2e2 (diff)
Added by Luiz Souza over 3 years ago

Fix CARP status.

Remove unnecessary code and adjust the code to work with uniqid notation.

Ticket #4858

Revision a34c263b (diff)
Added by Chris Buechler over 3 years ago

Add uniqid tag to CARP VIPs that don't have one upon upgrade. Ticket #4858

Revision ce31310e (diff)
Added by Chris Buechler over 3 years ago

Fix find_interface_ip for gateway groups with VIPs. Ticket #4858

Revision 3564bcb5 (diff)
Added by Chris Buechler over 3 years ago

Fix get_interface_ip to return correct IP for CARP VIPs. Ticket #4858

Revision d20dd658 (diff)
Added by Chris Buechler over 3 years ago

Handle start/stop of OpenVPN client instances bound to gateway groups using CARP IPs. Ticket #4858

Revision 2a5960b0 (diff)
Added by Luiz Souza over 3 years ago

Review of CARP uniqid changes.

It turns out that current CARP implementation is not much different from an IP alias.

This commit converts the IP alias to also use the CARP uniqid scheme, this simplify the code in all other places because now we have only two different cases to deal with:

- A friendly interface name (lan, wan, opt1, etc.);
- A Virtual IP - VIP alias (_vip{$uniqid}) - CARP or IP Alias.

The parent of a CARP is always a friendly interface. The parent of an IP alias can be a friendly interface or a CARP (this is the only case of recursion of a VIP).

This commit removes a few cases where CARP were still considered a interface (the old CARP implementation), fixes all the wrong cases of strpos() being used to detect a VIP address (wont work as it returns '0' which fails when tested as 'TRUE'), review the usage of CARP and IP alias as services bind addresses, fixes general issues of adding and editing VIP addresses.

The following subsystems were affected by this changes:

- IPSEC;
- OpenVPN;
- dnsmasq;
- NTP;
- gateways and gateway groups;
- IPv6 RA;
- GRE interfaces;
- CARP status;
- Referrer authentication.

Fixes (and/or revisit) the following tickets:

- Ticket #3257
- Ticket #3716
- Ticket #4450
- Ticket #4858
- Ticket #5441
- Ticket #5442
- Ticket #5500
- Ticket #5783
- Ticket #5844

Revision b574dc63 (diff)
Added by Chris Buechler over 3 years ago

Fix regression with missing 500/4500/ESP rules for IPsec bound to gateway groups. Ticket #4858

Revision ac5c0cfe (diff)
Added by Chris Buechler over 3 years ago

Replace deprecated link_carp function, fix sprintf. Ticket #4858

Revision d20a3d08 (diff)
Added by Chris Buechler over 3 years ago

use get_interface_ip functions rather than find_ since the former handles VIPs, gateway groups, etc. correctly. Ticket #4858

History

#1 Updated by Jim Thompson over 3 years ago

  • Assignee set to Chris Buechler

#2 Updated by Cullen Trey over 3 years ago

See Bug #4642 where i uploaded the rc.carpmaster and rc.carpbackup files, which should start or stop OpenVPN only on the necessary CARP IP events.

#3 Updated by Chris Buechler over 3 years ago

This is just a mess, for the reasons Phil Davis noted on the commit, and other things it's broken (#5441, maybe #5442, and definitely other issues that don't have bugs at the moment).
https://github.com/pfsense/pfsense/commit/89f171b052fbe72aed654d2a1c3d5a24e9bf9902

It was tagged with #3997 but has nothing to do with that ticket, that doesn't apply to CARP at all. It no longer git reverts after things have moved around, but will probably end up backing this out as I see no benefit to having it, it wasn't finished, and it doesn't work.

#4 Updated by Jim Thompson over 3 years ago

  • Assignee changed from Chris Buechler to Luiz Souza

I'd rather have Luiz do this, and drive things back as close as we can to stock FreeBSD

#5 Updated by Luiz Souza over 3 years ago

  • % Done changed from 0 to 30

#6 Updated by Jim Thompson over 3 years ago

  • Status changed from New to Assigned

#7 Updated by Chris Buechler over 3 years ago

  • Subject changed from Review CARP uniqid changes to Finish/fix CARP uniqid changes
  • Status changed from Assigned to Feedback
  • % Done changed from 30 to 100

that should be the last of it.

#8 Updated by Luiz Souza over 3 years ago

Unfortunately this is not yet fixed, there are numerous issues when dealing with IP aliases and CARP in pfSense services.

I've a more complete fix which I'm going to commit in the next hours.

Thanks!

#9 Updated by Luiz Souza over 3 years ago

The uniqid changes are now finished. All the serious and known bugs are fixed.

It took me a while to understand the big picture here and deliver a solution that wasn't too intrusive and at the same time provide all the fixes we need. This was indeed incomplete and broken at various places.

One of the most important failures here was the upgrade code that was never committed and so, all the existent setups would fail miserably after the upgrade.

Thanks everyone for the patience!

#10 Updated by Chris Buechler over 3 years ago

I've re-tested every use of CARP and IP aliases including on gateway groups with the exception of dynamic DNS which I haven't had a chance to get to yet.

outside of the regressions in #5884 and #5885, the remainder works now.

Leaving to feedback until I can thoroughly test dynamic DNS on gateway groups with VIPs.

#11 Updated by Chris Buechler over 3 years ago

  • Status changed from Feedback to Resolved

Dynamic DNS on gateway groups with VIPs was broken. It's working now including IP alias and CARP VIPs. That should be the last of this, outside things covered in other tickets.

Also available in: Atom PDF