Merge pull request #412 from pqarmitage/fixes

Fix iptables entries for accept mode, other iptables fixes, and make write_stacktrace a configure option

configure

@@ -785,6 +785,7 @@ enable_libipset
 enable_mem_check
 enable_mem_check_log
 enable_debug
+enable_stacktrace
 enable_profile
 enable_dependency_tracking
 '
@@ -1433,6 +1434,7 @@ Optional Features:
   --enable-mem-check      compile with memory alloc checking
   --enable-mem-check-log  compile with memory alloc checking wriging to syslog
   --enable-debug          compile with debugging flags
+  --enable-stracktrace    compile with stacktrace support
   --enable-profile        compile with profiling flags
   --enable-dependency-tracking
                           do not reject slow dependency extractors
@@ -3296,6 +3298,11 @@ if test "${enable_debug+set}" = set; then :
   enableval=$enable_debug;
 fi
 
+# Check whether --enable-stacktrace was given.
+if test "${enable_stacktrace+set}" = set; then :
+  enableval=$enable_stacktrace;
+fi
+
 # Check whether --enable-profile was given.
 if test "${enable_profile+set}" = set; then :
   enableval=$enable_profile;
@@ -8365,6 +8372,17 @@ else
   ENABLE_DEBUG=No
 fi
 
+if test "${enable_stacktrace}" = yes; then
+
+$as_echo "#define _WITH_STACKTRACE_  1 " >>confdefs.h
+
+  ENABLE_STACKTRACE=Yes
+  BUILD_OPTIONS="$BUILD_OPTIONS STACKTRACE"
+  KA_LDFLAGS="$KA_LDFLAGS -rdynamic"
+else
+  ENABLE_STACKTRACE=No
+fi
+
 if test "${enable_profile}" = yes; then
   KA_CFLAGS="$KA_CFLAGS -pg"
 fi
@@ -9960,6 +9978,7 @@ if test ${SNMP_RFCV3_SUPPORT} = Yes; then
 fi
 echo "SHA1 support             : ${SHA1_SUPPORT}"
 echo "Use Debug flags          : ${ENABLE_DEBUG}"
+echo "Stacktrace support       : ${ENABLE_STACKTRACE}"
 echo "Memory alloc check       : ${MEM_CHECK}"
 if test ${MEM_CHECK} = Yes; then
   echo "Memory alloc check log   : ${MEM_CHECK_LOG}"

configure.ac

@@ -107,6 +107,8 @@ AC_ARG_ENABLE(mem-check-log,
   [  --enable-mem-check-log  compile with memory alloc checking wriging to syslog])
 AC_ARG_ENABLE(debug,
   [  --enable-debug          compile with debugging flags])
+AC_ARG_ENABLE(stacktrace,
+  [  --enable-stracktrace    compile with stacktrace support])
 AC_ARG_ENABLE(profile,
   [  --enable-profile        compile with profiling flags])
 
@@ -830,6 +832,16 @@ else
   ENABLE_DEBUG=No
 fi
 
+dnl ----[ Stacktrace support or not ? ]----
+if test "${enable_stacktrace}" = yes; then
+  AC_DEFINE([_WITH_STACKTRACE_], [ 1 ], [Define to 1 to build with stacktrace support])
+  ENABLE_STACKTRACE=Yes
+  add_build_opt([STACKTRACE])
+  add_to_var([KA_LDFLAGS], [-rdynamic])
+else
+  ENABLE_STACKTRACE=No
+fi
+
 dnl ----[ Profiling or not ? ]----
 if test "${enable_profile}" = yes; then
   add_to_var([KA_CFLAGS], [-pg])
@@ -886,6 +898,7 @@ if test ${SNMP_RFCV3_SUPPORT} = Yes; then
 fi
 echo "SHA1 support             : ${SHA1_SUPPORT}"
 echo "Use Debug flags          : ${ENABLE_DEBUG}"
+echo "Stacktrace support       : ${ENABLE_STACKTRACE}"
 echo "Memory alloc check       : ${MEM_CHECK}"
 if test ${MEM_CHECK} = Yes; then
   echo "Memory alloc check log   : ${MEM_CHECK_LOG}"

keepalived/include/global_data.h

@@ -46,6 +46,9 @@
 #include "ipvswrapper.h"
 #endif
 
+#ifndef _HAVE_LIBIPTC_
+#define	XT_EXTENSION_MAXNAMELEN		29
+#endif
 
 /* constants */
 #define DEFAULT_SMTP_SERVER 0x7f000001

keepalived/include/vrrp_iptables.h

@@ -23,6 +23,8 @@
 #ifndef _VRRP_IPTABLES_H
 #define _VRRP_IPTABLES_H
 
+#include <stdbool.h>
+
 #ifdef _HAVE_LIBIPTC_
 #include <libiptc/libxtc.h>
 #endif
@@ -41,6 +43,6 @@ void iptables_startup(void);
 void iptables_cleanup(void);
 struct ipt_handle *iptables_open(void);
 int iptables_close(struct ipt_handle *h);
-void handle_iptable_rule_to_vip(ip_address_t *, int, char *, struct ipt_handle *);
+void handle_iptable_rule_to_vip(ip_address_t *, int, char *, struct ipt_handle *, bool);
 
 #endif

keepalived/include/vrrp_iptables_calls.h

@@ -33,11 +33,11 @@ int load_mod_xt_set(void);
 struct iptc_handle* ip4tables_open ( const char*);
 int ip4tables_close ( struct iptc_handle*, int);
 int ip4tables_is_chain(struct iptc_handle*, const char*);
-int ip4tables_process_entry( struct iptc_handle* handle, const char* chain_name, int rulenum, const char* target_name, const ip_address_t* src_ip_address, const ip_address_t* dst_ip_address, const char* in_iface, const char* out_iface, uint16_t protocol, uint16_t type, int cmd);
+int ip4tables_process_entry( struct iptc_handle* handle, const char* chain_name, int rulenum, const char* target_name, const ip_address_t* src_ip_address, const ip_address_t* dst_ip_address, const char* in_iface, const char* out_iface, uint16_t protocol, uint16_t type, int cmd, bool force);
 struct ip6tc_handle* ip6tables_open ( const char* tablename );
 int ip6tables_close ( struct ip6tc_handle* handle, int updated );
 int ip6tables_is_chain(struct ip6tc_handle* handle, const char* chain_name);
-int ip6tables_process_entry( struct ip6tc_handle* handle, const char* chain_name, int rulenum, const char* target_name, const ip_address_t* src_ip_address, const ip_address_t* dst_ip_address, const char* in_iface, const char* out_iface, uint16_t protocol, uint16_t type, int cmd);
+int ip6tables_process_entry( struct ip6tc_handle* handle, const char* chain_name, int rulenum, const char* target_name, const ip_address_t* src_ip_address, const ip_address_t* dst_ip_address, const char* in_iface, const char* out_iface, uint16_t protocol, uint16_t type, int cmd, bool force);
 int ip4tables_add_rules(struct iptc_handle* handle, const char* chain_name, int rulenum, int dim, int src_dst, const char* target_name, const char* set_name, uint16_t protocol, int param, int cmd, bool ignore_errors);
 int ip6tables_add_rules(struct ip6tc_handle* handle, const char* chain_name, int rulenum, int dim, int src_dst, const char* target_name, const char* set_name, uint16_t protocol, int param, int cmd, bool ignore_errors);
 

keepalived/vrrp/vrrp_ipaddress.c

@@ -166,7 +166,7 @@ netlink_iplist(list ip_list, int cmd)
 
 #ifndef _HAVE_LIBIPTC_
 static void
-handle_iptable_rule_to_NA(ip_address_t *ipaddress, int cmd, char *ifname)
+handle_iptable_rule_to_NA(ip_address_t *ipaddress, int cmd, char *ifname, bool force)
 {
 	char  *argv[14];
 	unsigned int i = 0;
@@ -198,13 +198,13 @@ handle_iptable_rule_to_NA(ip_address_t *ipaddress, int cmd, char *ifname)
 	argv[i++] = "ACCEPT";
 	argv[i] = NULL;
 
-	if (fork_exec(argv) < 0)
+	if (fork_exec(argv) < 0 && !force)
 		log_message(LOG_ERR, "Failed to %s ip6table rule to accept NAs sent"
 				     " to vip %s", (cmd) ? "set" : "remove", addr_str);
 
 	argv[type_specifier] = "135";
 
-	if (fork_exec(argv) < 0)
+	if (fork_exec(argv) < 0 && !force)
 		log_message(LOG_ERR, "Failed to %s ip6table rule to accept NSs sent"
 				     " to vip %s", (cmd) ? "set" : "remove", addr_str);
 
@@ -218,21 +218,21 @@ handle_iptable_rule_to_NA(ip_address_t *ipaddress, int cmd, char *ifname)
 
 	/* Allow NSs to be sent - this should only happen if the underlying interface
 	   doesn't have an IPv6 address */
-	if (fork_exec(argv) < 0)
+	if (fork_exec(argv) < 0 && !force)
 		log_message(LOG_ERR, "Failed to %s ip6table rule to allow NSs to be"
 				     " sent from vip %s", (cmd) ? "set" : "remove", addr_str);
 
 	argv[type_specifier] = "136";
 
 	/* Allow NAs to be sent in reply to an NS */
-	if (fork_exec(argv) < 0)
+	if (fork_exec(argv) < 0 && !force)
 		log_message(LOG_ERR, "Failed to %s ip6table rule to allow NAs to be"
 				     " sent from vip %s", (cmd) ? "set" : "remove", addr_str);
 }
 
 /* add/remove iptable drop rule to VIP */
 static void
-handle_iptable_rule_to_vip(ip_address_t *ipaddress, int cmd, char *ifname, void *unused)
+handle_iptable_rule_to_vip(ip_address_t *ipaddress, int cmd, char *ifname, void *unused, bool force)
 {
 	char  *argv[10];
 	unsigned int i = 0;
@@ -243,7 +243,7 @@ handle_iptable_rule_to_vip(ip_address_t *ipaddress, int cmd, char *ifname, void
 		return;
 
 	if (IP_IS6(ipaddress)) {
-		handle_iptable_rule_to_NA(ipaddress, cmd, ifname);
+		handle_iptable_rule_to_NA(ipaddress, cmd, ifname, force);
 		argv[i++] = "ip6tables";
 	} else {
 		argv[i++] = "iptables";
@@ -264,9 +264,11 @@ handle_iptable_rule_to_vip(ip_address_t *ipaddress, int cmd, char *ifname, void
 	argv[i++] = "DROP";
 	argv[i] = NULL;
 
-	if (fork_exec(argv) < 0)
-		log_message(LOG_ERR, "Failed to %s iptable drop rule"
-				     " to vip %s", (cmd) ? "set" : "remove", addr_str);
+	if (fork_exec(argv) < 0) {
+		if (!force)
+			log_message(LOG_ERR, "Failed to %s ip%stable drop rule"
+					     " to vip %s", (cmd) ? "set" : "remove", IP_IS6(ipaddress) ? "6" : "", addr_str);
+	}
 	else
 		ipaddress->iptable_rule_set = (cmd != IPADDRESS_DEL);
 
@@ -278,9 +280,9 @@ handle_iptable_rule_to_vip(ip_address_t *ipaddress, int cmd, char *ifname, void
 	if (if_specifier >= 0)
 		argv[if_specifier] = "-o";
 
-	if (fork_exec(argv) < 0)
-		log_message(LOG_ERR, "Failed to %s iptable drop rule"
-				     " from vip %s", (cmd) ? "set" : "remove", addr_str);
+	if (fork_exec(argv) < 0 && !force)
+		log_message(LOG_ERR, "Failed to %s ip%stable drop rule"
+				     " from vip %s", (cmd) ? "set" : "remove", IP_IS6(ipaddress) ? "6" : "", addr_str);
 }
 #endif
 
@@ -299,7 +301,7 @@ handle_iptable_rule_to_iplist(struct ipt_handle *h, list ip_list, int cmd, char
 		ipaddr = ELEMENT_DATA(e);
 		if ((cmd == IPADDRESS_DEL) == ipaddr->iptable_rule_set ||
 		    force)
-			handle_iptable_rule_to_vip(ipaddr, cmd, ifname, h);
+			handle_iptable_rule_to_vip(ipaddr, cmd, ifname, h, force);
 	}
 }
 
@@ -562,7 +564,7 @@ clear_diff_address(struct ipt_handle *h, list l, list n)
 #endif
 							 )
 
-				handle_iptable_rule_to_vip(ipaddr, IPADDRESS_DEL, iface_name,h);
+				handle_iptable_rule_to_vip(ipaddr, IPADDRESS_DEL, iface_name, h, false);
 		}
 	}
 

keepalived/vrrp/vrrp_iptables.c

@@ -222,7 +222,7 @@ static int check_chains_exist(void)
 	return status;
 }
 
-static int iptables_entry(struct ipt_handle* h, const char* chain_name, int rulenum, char* target_name, const ip_address_t* src_ip_address, const ip_address_t* dst_ip_address, const char* in_iface, const char* out_iface, uint16_t protocol, uint16_t type, int cmd)
+static int iptables_entry(struct ipt_handle* h, const char* chain_name, int rulenum, char* target_name, const ip_address_t* src_ip_address, const ip_address_t* dst_ip_address, const char* in_iface, const char* out_iface, uint16_t protocol, uint16_t type, int cmd, bool force)
 {
 	int res;
 
@@ -231,7 +231,7 @@ static int iptables_entry(struct ipt_handle* h, const char* chain_name, int rule
 		if (!h->h4)
 			h->h4 = ip4tables_open ("filter");
 
-		res = ip4tables_process_entry( h->h4, chain_name, rulenum, target_name, src_ip_address, dst_ip_address, in_iface, out_iface, protocol, type, cmd);
+		res = ip4tables_process_entry( h->h4, chain_name, rulenum, target_name, src_ip_address, dst_ip_address, in_iface, out_iface, protocol, type, cmd, force);
 		if (!res)
 			h->updated_v4 = true ;
 		return res;
@@ -241,7 +241,7 @@ static int iptables_entry(struct ipt_handle* h, const char* chain_name, int rule
 		if (!h->h6)
 			h->h6 = ip6tables_open ("filter");
 
-		res = ip6tables_process_entry( h->h6, chain_name, rulenum, target_name, src_ip_address, dst_ip_address, in_iface, out_iface, protocol, type, cmd);
+		res = ip6tables_process_entry( h->h6, chain_name, rulenum, target_name, src_ip_address, dst_ip_address, in_iface, out_iface, protocol, type, cmd, force);
 		if (!res)
 			h->updated_v6 = true;
 		return res;
@@ -251,35 +251,35 @@ static int iptables_entry(struct ipt_handle* h, const char* chain_name, int rule
 }
 
 static void
-handle_iptable_rule_to_NA(ip_address_t *ipaddress, int cmd, char *ifname, void *h)
+handle_iptable_rule_to_NA(ip_address_t *ipaddress, int cmd, char *ifname, void *h, bool force)
 {
 	if (global_data->vrrp_iptables_inchain[0] == '\0')
 		return;
 
 	iptables_entry(h, global_data->vrrp_iptables_inchain, -1,
 			XTC_LABEL_ACCEPT, NULL, ipaddress,
 			ifname, NULL,
-			IPPROTO_ICMPV6, 135, cmd);
+			IPPROTO_ICMPV6, 135, cmd, force);
 	iptables_entry(h, global_data->vrrp_iptables_inchain, -1,
 			XTC_LABEL_ACCEPT, NULL, ipaddress,
 			ifname, NULL,
-			IPPROTO_ICMPV6, 136, cmd);
+			IPPROTO_ICMPV6, 136, cmd, force);
 
 	if (global_data->vrrp_iptables_outchain[0] == '\0')
 		return;
 
 	iptables_entry(h, global_data->vrrp_iptables_outchain, -1,
 			XTC_LABEL_ACCEPT, ipaddress, NULL,
 			NULL, ifname,
-			IPPROTO_ICMPV6, 135, cmd);
+			IPPROTO_ICMPV6, 135, cmd, force);
 	iptables_entry(h, global_data->vrrp_iptables_outchain, -1,
 			XTC_LABEL_ACCEPT, ipaddress, NULL,
 			NULL, ifname,
-			IPPROTO_ICMPV6, 136, cmd);
+			IPPROTO_ICMPV6, 136, cmd, force);
 }
 
 void
-handle_iptable_rule_to_vip(ip_address_t *ipaddress, int cmd, char *ifname, struct ipt_handle *h)
+handle_iptable_rule_to_vip(ip_address_t *ipaddress, int cmd, char *ifname, struct ipt_handle *h, bool force)
 {
 	char *my_ifname = NULL;
 
@@ -306,13 +306,13 @@ handle_iptable_rule_to_vip(ip_address_t *ipaddress, int cmd, char *ifname, struc
 		if (IN6_IS_ADDR_LINKLOCAL(&ipaddress->u.sin6_addr))
 			my_ifname = ifname;
 
-		handle_iptable_rule_to_NA(ipaddress, cmd, my_ifname, h);
+		handle_iptable_rule_to_NA(ipaddress, cmd, my_ifname, h, force);
 	}
 
 	iptables_entry(h, global_data->vrrp_iptables_inchain, -1,
 			XTC_LABEL_DROP, NULL, ipaddress,
 			my_ifname, NULL,
-			IPPROTO_NONE, 0, cmd);
+			IPPROTO_NONE, 0, cmd, force);
 
 	ipaddress->iptable_rule_set = (cmd != IPADDRESS_DEL);
 
@@ -322,7 +322,7 @@ handle_iptable_rule_to_vip(ip_address_t *ipaddress, int cmd, char *ifname, struc
 	iptables_entry(h, global_data->vrrp_iptables_outchain, -1,
 			XTC_LABEL_DROP, ipaddress, NULL,
 			NULL, my_ifname,
-			IPPROTO_NONE, 0, cmd);
+			IPPROTO_NONE, 0, cmd, force);
 }
 
 static void