0001-Fix-interfaaces-coming-up-during-vrrp_script-init-ph.patch

@@ -0,0 +1,42 @@
+From 1ef6d477f4bd4b8e8c61748205352b6ff34936d3 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Tue, 7 Apr 2020 23:47:16 +0100
+Subject: [PATCH 006/691] Fix interfaaces coming up during vrrp_script init
+ phase
+
+Issue #1532 reported that if a tracked interface transitioned from
+down to up while a vrrp_script was running for the first time, the
+tracking vrrp instances would never come up. This commit resolves
+the issue.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/vrrp/vrrp_scheduler.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/keepalived/vrrp/vrrp_scheduler.c b/keepalived/vrrp/vrrp_scheduler.c
+index 6eac8fd..6f3586d 100644
+--- a/keepalived/vrrp/vrrp_scheduler.c
++++ b/keepalived/vrrp/vrrp_scheduler.c
+@@ -623,8 +623,17 @@ try_up_instance(vrrp_t *vrrp, bool leaving_init)
+ 		if (vrrp->num_script_if_fault)
+ 			return;
+ 	}
+-	else if (--vrrp->num_script_if_fault || vrrp->num_script_init)
++	else if (--vrrp->num_script_if_fault || vrrp->num_script_init) {
++		if (!vrrp->num_script_if_fault) {
++			if (vrrp->sync) {
++				vrrp->sync->num_member_fault--;
++				vrrp->sync->state = VRRP_STATE_INIT;
++			}
++			vrrp->wantstate = VRRP_STATE_BACK;
++		}
++
+ 		return;
++	}
+ 
+ 	if (vrrp->wantstate == VRRP_STATE_MAST && vrrp->base_priority == VRRP_PRIO_OWNER) {
+ 		vrrp->wantstate = VRRP_STATE_MAST;
+-- 
+1.8.3.1
+

0002-Fix-segfault-when-checker-process-terminates-with-SN.patch

@@ -0,0 +1,43 @@
+From 1a94bcfe23ef9deca79f71769b786d774892bd3a Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Tue, 26 May 2020 15:25:11 +0100
+Subject: [PATCH 093/691] Fix segfault when checker process terminates with
+ SNMP
+
+snmp_agent_close() now has to be called before thread_destroy_master()
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/check/check_daemon.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/keepalived/check/check_daemon.c b/keepalived/check/check_daemon.c
+index 7da4061..1ce274d 100644
+--- a/keepalived/check/check_daemon.c
++++ b/keepalived/check/check_daemon.c
+@@ -133,6 +133,11 @@ checker_terminate_phase2(void)
+ 	/* Remove the notify fifo */
+ 	notify_fifo_close(&global_data->notify_fifo, &global_data->lvs_notify_fifo);
+ 
++#ifdef _WITH_SNMP_CHECKER_
++	if (global_data && global_data->enable_snmp_checker)
++		check_snmp_agent_close();
++#endif
++
+ 	/* Destroy master thread */
+ 	checker_dispatcher_release();
+ 	thread_destroy_master(master);
+@@ -141,10 +146,6 @@ checker_terminate_phase2(void)
+ 	free_ssl();
+ 
+ 	ipvs_stop();
+-#ifdef _WITH_SNMP_CHECKER_
+-	if (global_data && global_data->enable_snmp_checker)
+-		check_snmp_agent_close();
+-#endif
+ 
+ 	/* Stop daemon */
+ 	pidfile_rm(checkers_pidfile);
+-- 
+1.8.3.1
+

0003-regex-fix-memory-leak-if-not-using-JIT.patch

@@ -0,0 +1,26 @@
+From 4ab53a9bdac7701900d238574cd86e0a987b8a45 Mon Sep 17 00:00:00 2001
+From: Alexandre Cassen <acassen@gmail.com>
+Date: Fri, 5 Jun 2020 16:40:43 +0200
+Subject: [PATCH 149/691] regex: fix memory leak if not using JIT
+
+---
+ keepalived/check/check_http.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/keepalived/check/check_http.c b/keepalived/check/check_http.c
+index f2f61c9..e14f82d 100644
+--- a/keepalived/check/check_http.c
++++ b/keepalived/check/check_http.c
+@@ -771,6 +771,9 @@ prepare_regex(url_t *url)
+ 		pcre2_get_error_message(pcreErrorNumber, buffer, sizeof buffer);
+ 		log_message(LOG_INFO, "Regex JIT compilation failed: '%s': %s\n", url->regex->pattern, (char *)buffer);
+ 
++		FREE_CONST_PTR(r->pattern);
++		FREE(r);
++
+ 		return;
+ 	}
+ #endif
+-- 
+1.8.3.1
+

0004-parser-fix-multiple-command-line-substitutions-condi.patch

@@ -0,0 +1,32 @@
+From d37b2f4794acf1b0b431110c5e1fb23d652c5962 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Tue, 7 Jul 2020 21:16:26 +0100
+Subject: [PATCH 283/691] parser: fix multiple command line
+ substitutions/conditions
+
+For example:
+$NO_STRICT      @high   unicast_src_ip 10.1.5.1
+would cause the parser to enter an infinite loop.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ lib/parser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/parser.c b/lib/parser.c
+index f6c522c..73911d9 100644
+--- a/lib/parser.c
++++ b/lib/parser.c
+@@ -1826,8 +1826,8 @@ read_line(char *buf, size_t size)
+ 		if (len == 0)
+ 			continue;
+ 
+-		recheck = false;
+ 		do {
++			recheck = false;
+ 			if (buf[0] == '@') {
+ 				/* If the line starts '@', check the following word matches the system id.
+ 				   @^ reverses the sense of the match */
+-- 
+1.8.3.1
+

0005-Fix-detecting-setsid-error-in-xdaemon.patch

@@ -0,0 +1,29 @@
+From d058988e1f2a67769075066e875cd8b16de931a4 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Thu, 20 Aug 2020 17:06:19 +0100
+Subject: [PATCH 322/691] Fix detecting setsid() error in xdaemon()
+
+setsid() return should be checked for < 0 rather than < -1. This
+error was fixed in the zebra code in 2004!
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/core/daemon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/keepalived/core/daemon.c b/keepalived/core/daemon.c
+index 0e3621d..3f99d34 100644
+--- a/keepalived/core/daemon.c
++++ b/keepalived/core/daemon.c
+@@ -59,7 +59,7 @@ xdaemon(bool nochdir, bool noclose, bool exitflag)
+ 
+ 	/* Become session leader and get pid. */
+ 	pid = setsid();
+-	if (pid < -1) {
++	if (pid < 0) {
+ 		log_message(LOG_INFO, "xdaemon: setsid error");
+ 		return -1;
+ 	}
+-- 
+1.8.3.1
+

0006-vrrp-fix-checking-if-kernel-netlink-socket-is-open.patch

@@ -0,0 +1,28 @@
+From 2f7fdfc1a45931753d77a17b1b67c6725a5f6784 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Wed, 14 Oct 2020 16:17:08 +0100
+Subject: [PATCH 380/691] vrrp: fix checking if kernel netlink socket is open
+
+0 is a valid value for a file descriptor.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/core/keepalived_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/keepalived/core/keepalived_netlink.c b/keepalived/core/keepalived_netlink.c
+index 6ac26dc..3169013 100644
+--- a/keepalived/core/keepalived_netlink.c
++++ b/keepalived/core/keepalived_netlink.c
+@@ -2314,7 +2314,7 @@ kernel_netlink(thread_ref_t thread)
+ void
+ kernel_netlink_poll(void)
+ {
+-	if (!nl_kernel.fd)
++	if (nl_kernel.fd < 0)
+ 		return;
+ 
+ 	netlink_parse_info(netlink_broadcast_filter, &nl_kernel, NULL, true);
+-- 
+1.8.3.1
+

0007-vrrp-ensure-memory-used-for-entries-in-etc-iproute2-.patch

@@ -0,0 +1,54 @@
+From ed07bd83ef06dc33365c286654a9fddc08fbb8f5 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Wed, 14 Oct 2020 16:19:54 +0100
+Subject: [PATCH 381/691] vrrp: ensure memory used for entries in /etc/iproute2
+ is freed
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/vrrp/vrrp_daemon.c | 2 ++
+ keepalived/vrrp/vrrp_data.c   | 2 --
+ lib/parser.c                  | 4 +---
+ 3 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/keepalived/vrrp/vrrp_daemon.c b/keepalived/vrrp/vrrp_daemon.c
+index 4533f06..ea950c9 100644
+--- a/keepalived/vrrp/vrrp_daemon.c
++++ b/keepalived/vrrp/vrrp_daemon.c
+@@ -246,6 +246,8 @@ vrrp_terminate_phase2(int exit_status)
+ 		dbus_stop();
+ #endif
+ 
++	clear_rt_names();
++
+ 	if (global_data->vrrp_notify_fifo.fd != -1)
+ 		notify_fifo_close(&global_data->notify_fifo, &global_data->vrrp_notify_fifo);
+ 
+diff --git a/keepalived/vrrp/vrrp_data.c b/keepalived/vrrp/vrrp_data.c
+index 31f4b82..40d10ba 100644
+--- a/keepalived/vrrp/vrrp_data.c
++++ b/keepalived/vrrp/vrrp_data.c
+@@ -1157,6 +1157,4 @@ dump_data_vrrp(FILE *fp)
+ 		conf_write(fp, "------< Interfaces >------");
+ 		dump_list(fp, ifl);
+ 	}
+-
+-	clear_rt_names();
+ }
+diff --git a/lib/parser.c b/lib/parser.c
+index 73911d9..c13e133 100644
+--- a/lib/parser.c
++++ b/lib/parser.c
+@@ -2099,8 +2099,6 @@ init_data(const char *conf_file, const vector_t * (*init_keywords) (void))
+ 
+ 	free_keywords(keywords);
+ 	free_parser_data();
+-#ifdef _WITH_VRRP_
+-	clear_rt_names();
+-#endif
++
+ 	notify_resource_release();
+ }
+-- 
+1.8.3.1
+

0008-ipvs-fix-a-file-descriptor-leak-with-SSL_GET.patch

@@ -0,0 +1,41 @@
+From 48d398a186afb0c71eb2fc05328f4fed580f975e Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Wed, 28 Oct 2020 16:10:01 +0000
+Subject: [PATCH 426/691] ipvs: fix a file descriptor leak with SSL_GET
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/check/check_ssl.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
+index c7fb2ca..2999244 100644
+--- a/keepalived/check/check_ssl.c
++++ b/keepalived/check/check_ssl.c
+@@ -301,8 +301,8 @@ ssl_read_thread(thread_ref_t thread)
+ 	if (req->error == SSL_ERROR_WANT_READ) {
+ 		 /* async read unfinished */
+ 		thread_add_read(thread->master, ssl_read_thread, checker,
+-				thread->u.f.fd, timeout, false);
+-	} else if (r > 0 && req->error == 0) {
++				thread->u.f.fd, timeout, true);
++	} else if (r > 0 && req->error == SSL_ERROR_NONE) {
+ 		/* Handle response stream */
+ 		http_process_response(req, (size_t)r, url);
+ 
+@@ -311,10 +311,9 @@ ssl_read_thread(thread_ref_t thread)
+ 		 * Register itself to not perturbe global I/O multiplexer.
+ 		 */
+ 		thread_add_read(thread->master, ssl_read_thread, checker,
+-				thread->u.f.fd, timeout, false);
++				thread->u.f.fd, timeout, true);
+ 	} else if (req->error) {
+-
+-		/* All the SSL streal has been parsed */
++		/* All the SSL stream has been parsed */
+ 		if (url->digest)
+ 			MD5_Final(digest, &req->context);
+ 		SSL_set_quiet_shutdown(req->ssl, 1);
+-- 
+1.8.3.1
+

0009-core-Fix-a-file-descriptor-leak-when-reloading.patch

@@ -0,0 +1,62 @@
+From ba3ce49606271ec49188b8c73ff341b9f680f254 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Wed, 28 Oct 2020 16:11:37 +0000
+Subject: [PATCH 427/691] core: Fix a file descriptor leak when reloading
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ lib/scheduler.c | 29 +++++++++++++++++++----------
+ 1 file changed, 19 insertions(+), 10 deletions(-)
+
+diff --git a/lib/scheduler.c b/lib/scheduler.c
+index f54e3b4..139b8e5 100644
+--- a/lib/scheduler.c
++++ b/lib/scheduler.c
+@@ -839,10 +839,24 @@ thread_destroy_list(thread_master_t *m, list_head_t *l)
+ 	thread_t *thread, *thread_tmp;
+ 
+ 	list_for_each_entry_safe(thread, thread_tmp, l, next) {
+-		if (thread->event) {
+-			thread_del_read(thread);
+-			thread_del_write(thread);
++		/* The following thread types are relevant for the ready list */
++		if (thread->type == THREAD_READY_READ_FD ||
++		    thread->type == THREAD_READY_WRITE_FD ||
++		    thread->type == THREAD_READ_TIMEOUT ||
++		    thread->type == THREAD_WRITE_TIMEOUT ||
++		    thread->type == THREAD_READ_ERROR ||
++		    thread->type == THREAD_WRITE_ERROR) {
++			/* Do we have a thread_event, and does it need deleting? */
++			if (thread->event) {
++				thread_del_read(thread);
++				thread_del_write(thread);
++			}
++
++			/* Do we have a file descriptor that needs closing ? */
++			if (thread->u.f.close_on_reload)
++				thread_close_fd(thread);
+ 		}
++
+ 		list_head_del(&thread->next);
+ 		thread_add_unuse(m, thread);
+ 	}
+@@ -856,14 +870,9 @@ thread_destroy_rb(thread_master_t *m, rb_root_cached_t *root)
+ 	rb_for_each_entry_safe_cached(thread, thread_tmp, root, n) {
+ 		rb_erase_cached(&thread->n, root);
+ 
++		/* The following are relevant for the read and write rb lists */
+ 		if (thread->type == THREAD_READ ||
+-		    thread->type == THREAD_WRITE ||
+-		    thread->type == THREAD_READY_READ_FD ||
+-		    thread->type == THREAD_READY_WRITE_FD ||
+-		    thread->type == THREAD_READ_TIMEOUT ||
+-		    thread->type == THREAD_WRITE_TIMEOUT ||
+-		    thread->type == THREAD_READ_ERROR ||
+-		    thread->type == THREAD_WRITE_ERROR) {
++		    thread->type == THREAD_WRITE) {
+ 			/* Do we have a thread_event, and does it need deleting? */
+ 			if (thread->type == THREAD_READ)
+ 				thread_del_read(thread);
+-- 
+1.8.3.1
+

0010-vrrp-Don-t-segfault-when-a-VRID-is-changed-on-a-VMAC.patch

@@ -0,0 +1,81 @@
+From d00153b11938f973816d39fabfd7edb6c69e46e8 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Tue, 17 Nov 2020 16:14:18 +0000
+Subject: [PATCH 447/691] vrrp: Don't segfault when a VRID is changed on a VMAC
+ when reloading
+
+With many thanks to Louis Scalbert (@louis-oui) for identifying the
+issue and providing a patch that formed the basis of this patch.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/vrrp/vrrp_daemon.c | 16 ++++++++--------
+ keepalived/vrrp/vrrp_if.c     | 18 ++++++++++--------
+ 2 files changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/keepalived/vrrp/vrrp_daemon.c b/keepalived/vrrp/vrrp_daemon.c
+index ea950c9..aa3052d 100644
+--- a/keepalived/vrrp/vrrp_daemon.c
++++ b/keepalived/vrrp/vrrp_daemon.c
+@@ -551,6 +551,14 @@ start_vrrp(data_t *prev_global_data)
+ 		}
+ 	}
+ 
++	/* Init & start the VRRP packet dispatcher */
++	if (!reload && global_data->vrrp_startup_delay) {
++		log_message(LOG_INFO, "Delaying startup for %g seconds", global_data->vrrp_startup_delay / TIMER_HZ_DOUBLE);
++		thread_add_timer(master, vrrp_dispatcher_init, NULL,
++				 global_data->vrrp_startup_delay);
++	} else
++		thread_add_event(master, vrrp_dispatcher_init, NULL, 0);
++
+ 	/* Complete VRRP initialization */
+ 	if (!vrrp_complete_init()) {
+ 		stop_vrrp(KEEPALIVED_EXIT_CONFIG);
+@@ -610,14 +618,6 @@ start_vrrp(data_t *prev_global_data)
+ 	if (__test_bit(DUMP_CONF_BIT, &debug))
+ 		dump_data_vrrp(NULL);
+ 
+-	/* Init & start the VRRP packet dispatcher */
+-	if (!reload && global_data->vrrp_startup_delay) {
+-		log_message(LOG_INFO, "Delaying startup for %g seconds", global_data->vrrp_startup_delay / TIMER_HZ_DOUBLE);
+-		thread_add_timer(master, vrrp_dispatcher_init, NULL,
+-				 global_data->vrrp_startup_delay);
+-	} else
+-		thread_add_event(master, vrrp_dispatcher_init, NULL, 0);
+-
+ 	/* Set the process priority and non swappable if configured */
+ 	set_process_priorities(global_data->vrrp_realtime_priority,
+ #if HAVE_DECL_RLIMIT_RTTIME == 1
+diff --git a/keepalived/vrrp/vrrp_if.c b/keepalived/vrrp/vrrp_if.c
+index 6847df9..d40f9f1 100644
+--- a/keepalived/vrrp/vrrp_if.c
++++ b/keepalived/vrrp/vrrp_if.c
+@@ -1311,14 +1311,16 @@ cleanup_lost_interface(interface_t *ifp)
+ #endif
+ 
+ 		/* Find the sockpool entry. If none, then we have closed the socket */
+-		if (vrrp->sockets->fd_in != -1) {
+-			thread_cancel_read(master, vrrp->sockets->fd_in);
+-			close(vrrp->sockets->fd_in);
+-			vrrp->sockets->fd_in = -1;
+-		}
+-		if (vrrp->sockets->fd_out != -1) {
+-			close(vrrp->sockets->fd_out);
+-			vrrp->sockets->fd_out = -1;
++		if (vrrp->sockets) {
++			if (vrrp->sockets->fd_in != -1) {
++				thread_cancel_read(master, vrrp->sockets->fd_in);
++				close(vrrp->sockets->fd_in);
++				vrrp->sockets->fd_in = -1;
++			}
++			if (vrrp->sockets->fd_out != -1) {
++				close(vrrp->sockets->fd_out);
++				vrrp->sockets->fd_out = -1;
++			}
+ 		}
+ 
+ 		if (IF_ISUP(ifp))
+-- 
+1.8.3.1
+

0011-vrrp-clear-old_vrrp_data-and-old_global_data-when-me.patch

@@ -0,0 +1,28 @@
+From 988fd158b25a5ea08b2bef3bac6d0a2cd7bb53ec Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Tue, 15 Dec 2020 15:33:05 +0000
+Subject: [PATCH 483/691] vrrp: clear old_vrrp_data and old_global_data when
+ memory freed
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/vrrp/vrrp_daemon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/keepalived/vrrp/vrrp_daemon.c b/keepalived/vrrp/vrrp_daemon.c
+index aa3052d..8d0fe70 100644
+--- a/keepalived/vrrp/vrrp_daemon.c
++++ b/keepalived/vrrp/vrrp_daemon.c
+@@ -817,7 +817,9 @@ reload_vrrp_thread(__attribute__((unused)) thread_ref_t thread)
+ 
+ 	/* free backup data */
+ 	free_vrrp_data(old_vrrp_data);
++	old_vrrp_data = NULL;
+ 	free_global_data(old_global_data);
++	old_global_data = NULL;
+ 
+ 	free_old_interface_queue();
+ 
+-- 
+1.8.3.1
+

CVE-2021-44225.patch

@@ -0,0 +1,39 @@
+From 7977fec0be89ae6fe87405b3f8da2f0b5e415e3d Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vincent@bernat.ch>
+Date: Tue, 23 Nov 2021 06:50:59 +0100
+Subject: [PATCH] dbus: fix policy to not be overly broad
+The DBus policy did not restrict the message destination, allowing any
+user to inspect and manipulate any property.
+CVE-2021-44225
+https://nvd.nist.gov/vuln/detail/CVE-2021-44225
+Reference:https://github.com/acassen/keepalived/commit/7977fec0be89ae6fe87405b3f8da2f0b5e415e3d.patch
+Conflict:NA
+Signed-off-by: Vincent Bernat <vincent@bernat.ch>
+---
+ keepalived/dbus/org.keepalived.Vrrp1.conf | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+diff --git a/keepalived/dbus/org.keepalived.Vrrp1.conf b/keepalived/dbus/org.keepalived.Vrrp1.conf
+index 2b78a575c..b5ced6085 100644
+--- a/keepalived/dbus/org.keepalived.Vrrp1.conf
++++ b/keepalived/dbus/org.keepalived.Vrrp1.conf
+@@ -3,12 +3,15 @@
+  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+ <busconfig>
+ 	<policy user="root">
+-		<allow own="org.keepalived.Vrrp1"/>
+-		<allow send_destination="org.keepalived.Vrrp1"/>
++		<allow own="org.keepalived.Vrrp1" />
++		<allow send_destination="org.keepalived.Vrrp1" />
+ 	</policy>
+ 	<policy context="default">
+-		<allow send_interface="org.freedesktop.DBus.Introspectable" />
+-		<allow send_interface="org.freedesktop.DBus.Peer" />
+-		<allow send_interface="org.freedesktop.DBus.Properties" />
++		<allow send_destination="org.keepalived.Vrrp1"
++		       send_interface="org.freedesktop.DBus.Introspectable" />
++		<allow send_destination="org.keepalived.Vrrp1"
++		       send_interface="org.freedesktop.DBus.Peer" />
++		<allow send_destination="org.keepalived.Vrrp1"
++		       send_interface="org.freedesktop.DBus.Properties" />
+ 	</policy>
+ </busconfig>

keepalived-pid-check.sh

@@ -1,54 +0,0 @@
-#! /bin/bash
-
-if [ ! -f /run/keepalived.pid ] || [ ! -f /run/keepalived.pid.save ]; then
-	echo "check keepalived.pid and run/keepalived.pid.save file not exists"
-	exit 1
-fi
-
-NOW_MAIN_PID=$(/usr/bin/cat /run/keepalived.pid)
-
-if [ -f /run/checkers.pid ]; then
-	NOW_CHECKERS_PID=$(/usr/bin/cat /run/checkers.pid)
-else
-	NOW_CHECKERS_PID=0
-fi
-
-if [ -f /run/vrrp.pid ]; then
-	NOW_VRRP_PID=$(/usr/bin/cat /run/vrrp.pid)
-else
-	NOW_VRRP_PID=0
-fi
-
-count=1;
-
-while read LINE
-do
-	if [ $count = 1 ]; then
-		if [ $NOW_MAIN_PID != $LINE ]; then
-			echo "check main pid $LINE ...... [fail]"
-			exit 1
-		fi
-		echo "check main pid $LINE ...... [pass]"
-	fi
-
-        if [ $count = 2 ]; then
-                if [ $NOW_CHECKERS_PID != $LINE ]; then
-			echo "check checker pid $LINE ... [fail]"
-                        exit 1
-                fi
-		echo "check checker pid $LINE ... [pass]"
-        fi
-
-        if [ $count = 3 ]; then
-                if [ $NOW_VRRP_PID != $LINE ]; then
-			echo "check vrrp pid $LINE ...... [fail]"
-                        exit 1
-                fi
-		echo "check vrrp pid $LINE ...... [pass]"
-        fi
-
-	count=$[ $count + 1 ]
-
-done < /run/keepalived.pid.save
-
-exit 0

keepalived-start-post.sh

@@ -1,39 +0,0 @@
-#!/bin/sh
-umask 0027
-
-echo "exec started post "
-
-CheckPidFile()
-{
-	ps -ef | grep "/usr/sbin/keepalived -D --all" | while read line;
-	do
-		PID=$(echo $line | awk '{print $2}')
-		FATHER=$(echo $line | awk '{print $3}')
-		CMD=$(echo $line| awk '{print $8}')
-		if [ $CMD = "/usr/sbin/keepalived" ] && [ $FATHER = "1" ]; then
-			echo $PID > /run/keepalived.pid
-		fi
-	done
-}
-
-if [ -f /run/keepalived.pid ]; then
-	echo $(/usr/bin/cat /run/keepalived.pid) > /run/keepalived.pid.save
-else
-	CheckPidFile
-fi
-
-if [ -f /run/checkers.pid ]; then
-        echo $(/usr/bin/cat /run/checkers.pid) >> /run/keepalived.pid.save
-else
-	echo 0 >> /run/keepalived.pid.save
-
-fi
-
-if [ -f /run/vrrp.pid ]; then
-        echo $(/usr/bin/cat /run/vrrp.pid) >> /run/keepalived.pid.save
-else
-	echo 0 >> /run/keepalived.pid.save
-fi
-
-exit 0
-

keepalived-stop-post.sh

@@ -1,19 +0,0 @@
-#!/bin/sh
-if [ -f /run/checkers.pid ]; then
-	checkerpid=$(/usr/bin/cat /run/checkers.pid) 
-	/bin/kill $checkerpid
-	echo "Kill checkers-pid $checkerpid , when execute stop-post keepalived"
-fi
-
-if [ -f /run/vrrp.pid ]; then 
-	vrrppid=$(/usr/bin/cat /run/vrrp.pid)
-	/bin/kill $vrrppid
-	echo "Kill vrrp-pid $vrrppid, when execute stop-post keepalived"
-fi
-
-if [ -f /run/keepalived.pid.save ]; then
-	rm -rf /run/keepalived.pid.save
-fi
-
-echo "Excuted stop-post keepalived"
-

keepalived.service

@@ -8,12 +8,8 @@ Type=forking
 PIDFile=/run/keepalived.pid
 KillMode=process
 EnvironmentFile=-/etc/sysconfig/keepalived
-ExecStartPost=/usr/sbin/keepalived-start-post.sh
 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS
 ExecReload=/bin/kill -HUP $MAINPID
-ExecStopPost=/usr/sbin/keepalived-stop-post.sh
-StartLimitBurst=1
-StartLimitInterval=1s
 
 [Install]
 WantedBy=multi-user.target

keepalived.spec

@@ -8,23 +8,29 @@
 %global _hardened_build 1
 
 Name:		keepalived
-Version:	2.2.8
+Version:	2.0.20
-Release:	1
+Release:	4
 Summary:	High Availability monitor built upon LVS, VRRP and service pollers
 License:	GPLv2+
 URL:		http://www.keepalived.org/
 Source0:	http://www.keepalived.org/software/keepalived-%{version}.tar.gz
 Source1: 	keepalived.service
-Source2:        keepalived-stop-post.sh
-Source3:        keepalived-start-post.sh
-Source4:        keepalived-pid-check.sh
 
-Requires(post): systemd
+Patch0001:      0001-Fix-interfaaces-coming-up-during-vrrp_script-init-ph.patch
-Requires(preun): systemd
+Patch0002:      0002-Fix-segfault-when-checker-process-terminates-with-SN.patch
-Requires(postun): systemd
+Patch0003:      0003-regex-fix-memory-leak-if-not-using-JIT.patch
+Patch0004:      0004-parser-fix-multiple-command-line-substitutions-condi.patch
+Patch0005:      0005-Fix-detecting-setsid-error-in-xdaemon.patch
+Patch0006:      0006-vrrp-fix-checking-if-kernel-netlink-socket-is-open.patch
+Patch0007:      0007-vrrp-ensure-memory-used-for-entries-in-etc-iproute2-.patch
+Patch0008:      0008-ipvs-fix-a-file-descriptor-leak-with-SSL_GET.patch
+Patch0009:      0009-core-Fix-a-file-descriptor-leak-when-reloading.patch
+Patch0010:      0010-vrrp-Don-t-segfault-when-a-VRID-is-changed-on-a-VMAC.patch
+Patch0011:      0011-vrrp-clear-old_vrrp_data-and-old_global_data-when-me.patch
+Patch0012:      CVE-2021-44225.patch
+
 BuildRequires:	net-snmp-devel gcc systemd-units openssl-devel libnl3-devel
 BuildRequires:  ipset-devel iptables-devel libnfnetlink-devel libnftnl-devel
-BuildRequires:  file-devel libmnl-devel
 %{?systemd requires}
 
 %description
@@ -65,10 +71,7 @@ rm -rf .%{_sysconfdir}/keepalived/samples/
 popd
 
 install -d -m 0755 %{buildroot}%{_unitdir}
-install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/keepalived.service
+install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/keepalived.service
-install -p -D -m 0550 %{SOURCE2} %{buildroot}%{_sbindir}/keepalived-stop-post.sh
-install -p -D -m 0550 %{SOURCE3} %{buildroot}%{_sbindir}/keepalived-start-post.sh
-install -p -D -m 0550 %{SOURCE4} %{buildroot}%{_sbindir}/keepalived-pid-check.sh
 install -Dd -m 0755 %{buildroot}%{_libexecdir}/keepalived
 
 %post
@@ -85,13 +88,10 @@ install -Dd -m 0755 %{buildroot}%{_libexecdir}/keepalived
 %doc README 
 %license COPYING
 %config(noreplace) %attr(0644,root,root) %{_sysconfdir}/sysconfig/keepalived
-%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/keepalived/keepalived.conf.sample
+%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/keepalived/keepalived.conf
 %attr(0755,root,root) %{_sbindir}/keepalived
 %dir %{_sysconfdir}/keepalived/
 %dir %{_libexecdir}/keepalived/
-%attr(0550,root,root) %{_sbindir}/keepalived-stop-post.sh
-%attr(0550,root,root) %{_sbindir}/keepalived-start-post.sh
-%attr(0550,root,root) %{_sbindir}/keepalived-pid-check.sh
 %{_bindir}/genhash
 %{_datadir}/snmp/mibs/*
 %{_unitdir}/keepalived.service
@@ -102,41 +102,17 @@ install -Dd -m 0755 %{buildroot}%{_libexecdir}/keepalived
 %{_mandir}/man*
 
 %changelog
-* Sun Feb 18 2024 sunsuwan <sunsuwan3@huawei.com> -  2.2.8-1
+* Thu Dec 23 2021 wangxp006 <wangxp006@163.com> -  2.0.20-4
-- Type:bugfix
-- ID:NA
-- SUG:NA
-- DESC:upgrade keepalived to 2.2.8
-
-* Thu Aug 10 2023 liubo <liubo335@huawei.com> -  2.2.4-4
-- Type:bugfix
-- ID:NA
-- SUG:NA
-- DESC:dbus:fix type of name property in interface
-
-* Mon Jun 12 2023 sunsuwan <sunsuwan3@huawei.com> -  2.2.4-3
-- Type:CVE
-- ID:NA 
-- SUG:NA
-- DESC:backport upstream patches and make service start not so offen
-
-* Tue Mar 29 2022 kwb0523 <kwb0523@163.com> -  2.2.4-2
 - Type:bugfix
 - ID:NA 
 - SUG:NA
 - DESC:fix CVE-2021-44225
 
-* Tue Dec 21 2021 kwb0523 <kwb0523@163.com> -  2.2.4-1
+* Wed Jun 10 2021 wangxp006 <wangxp006@163.com> -  2.0.20-3
-- Type:bugfix
-- ID:NA 
-- SUG:NA
-- DESC:upgrade keepalived to 2.2.4
-
-* Thu Jun 10 2021 wangxp006 <wangxp006@163.com> -  2.0.20-3
 - Type:bugfix
 - ID:NA 
 - SUG:NA
 - DESC:backport upstream patches
 
-* Tue May 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.0.20-2
+* Fri  21 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.0.20-2
 - Package init