diff --git a/data/templates/vrrp/keepalived.conf.tmpl b/data/templates/vrrp/keepalived.conf.tmpl
index 6203184e3..4bbd56584 100644
--- a/data/templates/vrrp/keepalived.conf.tmpl
+++ b/data/templates/vrrp/keepalived.conf.tmpl
@@ -1,129 +1,132 @@
# Autogenerated by VyOS
# Do not edit this file, all your changes will be lost
# on next commit or reboot
global_defs {
dynamic_interfaces
script_user root
{% if global_parameters is defined and global_parameters is not none %}
{% if global_parameters.startup_delay is defined %}
vrrp_startup_delay {{ global_parameters.startup_delay }}
{% endif %}
+{% if global_parameters.version is defined %}
+ vrrp_version {{ global_parameters.version }}
+{% endif %}
{% endif %}
notify_fifo /run/keepalived/keepalived_notify_fifo
notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py
}
{% if group is defined and group is not none %}
{% for name, group_config in group.items() if group_config.disable is not defined %}
{% if group_config.health_check is defined and group_config.health_check.script is defined and group_config.health_check.script is not none %}
vrrp_script healthcheck_{{ name }} {
script "{{ group_config.health_check.script }}"
interval {{ group_config.health_check.interval }}
fall {{ group_config.health_check.failure_count }}
rise 1
}
{% endif %}
vrrp_instance {{ name }} {
{% if group_config.description is defined and group_config.description is not none %}
# {{ group_config.description }}
{% endif %}
state BACKUP
interface {{ group_config.interface }}
virtual_router_id {{ group_config.vrid }}
priority {{ group_config.priority }}
advert_int {{ group_config.advertise_interval }}
{% if group_config.track is defined and group_config.track.exclude_vrrp_interface is defined %}
dont_track_primary
{% endif %}
{% if group_config.no_preempt is not defined and group_config.preempt_delay is defined and group_config.preempt_delay is not none %}
preempt_delay {{ group_config.preempt_delay }}
{% elif group_config.no_preempt is defined %}
nopreempt
{% endif %}
{% if group_config.peer_address is defined and group_config.peer_address is not none %}
unicast_peer { {{ group_config.peer_address }} }
{% endif %}
{% if group_config.hello_source_address is defined and group_config.hello_source_address is not none %}
{% if group_config.peer_address is defined and group_config.peer_address is not none %}
unicast_src_ip {{ group_config.hello_source_address }}
{% else %}
mcast_src_ip {{ group_config.hello_source_address }}
{% endif %}
{% endif %}
{% if group_config.rfc3768_compatibility is defined and group_config.peer_address is defined %}
use_vmac {{ group_config.interface }}v{{ group_config.vrid }}
vmac_xmit_base
{% elif group_config.rfc3768_compatibility is defined %}
use_vmac {{ group_config.interface }}v{{ group_config.vrid }}
{% endif %}
{% if group_config.authentication is defined and group_config.authentication is not none %}
authentication {
auth_pass "{{ group_config.authentication.password }}"
{% if group_config.authentication.type == 'plaintext-password' %}
auth_type PASS
{% else %}
auth_type {{ group_config.authentication.type | upper }}
{% endif %}
}
{% endif %}
{% if group_config.virtual_address is defined and group_config.virtual_address is not none %}
virtual_ipaddress {
{% for addr, addr_config in group_config.virtual_address.items() %}
{{ addr }}{{ ' dev ' + addr_config.interface if addr_config.interface is defined }}
{% endfor %}
}
{% endif %}
{% if group_config.virtual_address_excluded is defined and group_config.virtual_address_excluded is not none %}
virtual_ipaddress_excluded {
{% for addr in group_config.virtual_address_excluded %}
{{ addr }}
{% endfor %}
}
{% endif %}
{% if group_config.track is defined and group_config.track.interface is defined and group_config.track.interface is not none %}
track_interface {
{% for interface in group_config.track.interface %}
{{ interface }}
{% endfor %}
}
{% endif %}
{% if group_config.health_check is defined and group_config.health_check.script is defined and group_config.health_check.script is not none %}
track_script {
healthcheck_{{ name }}
}
{% endif %}
}
{% endfor %}
{% endif %}
{% if sync_group is defined and sync_group is not none %}
{% for name, sync_group_config in sync_group.items() if sync_group_config.disable is not defined %}
vrrp_sync_group {{ name }} {
group {
{% if sync_group_config.member is defined and sync_group_config.member is not none %}
{% for member in sync_group_config.member %}
{{ member }}
{% endfor %}
{% endif %}
}
{# Health-check scripts should be in section sync-group if member is part of the sync-group T4081 #}
{% if vrrp is defined and vrrp.group is defined and vrrp.group is not none %}
{% for name, group_config in group.items() if group_config.disable is not defined %}
{% if group_config.health_check is defined and group_config.health_check.script is defined and group_config.health_check.script is not none and name in sync_group_config.member %}
track_script {
healthcheck_{{ name }}
}
{% endif %}
{% endfor %}
{% endif %}
{% if conntrack_sync_group is defined and conntrack_sync_group == name %}
{% set vyos_helper = "/usr/libexec/vyos/vyos-vrrp-conntracksync.sh" %}
notify_master "{{ vyos_helper }} master {{ name }}"
notify_backup "{{ vyos_helper }} backup {{ name }}"
notify_fault "{{ vyos_helper }} fault {{ name }}"
{% endif %}
}
{% endfor %}
{% endif %}
diff --git a/interface-definitions/vrrp.xml.in b/interface-definitions/vrrp.xml.in
index 80a33c2b2..cbd248b33 100644
--- a/interface-definitions/vrrp.xml.in
+++ b/interface-definitions/vrrp.xml.in
@@ -1,401 +1,420 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="high-availability">
<properties>
<help>High availability settings</help>
</properties>
<children>
<node name="vrrp" owner="${vyos_conf_scripts_dir}/vrrp.py">
<properties>
<priority>800</priority> <!-- after all interfaces and conntrack-sync -->
<help>Virtual Router Redundancy Protocol settings</help>
</properties>
<children>
<node name="global-parameters">
<properties>
<help>VRRP global parameters</help>
</properties>
<children>
<leafNode name="startup-delay">
<properties>
<help>Time VRRP startup process (in seconds)</help>
<valueHelp>
<format>u32:1-600</format>
<description>Interval in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-600"/>
</constraint>
</properties>
</leafNode>
+ <leafNode name="version">
+ <properties>
+ <help>Default VRRP version to use, IPv6 always uses VRRP version 3</help>
+ <completionHelp>
+ <list>2 3</list>
+ </completionHelp>
+ <valueHelp>
+ <format>u32:2</format>
+ <description>VRRP version 2</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:3</format>
+ <description>VRRP version 3</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 2-3"/>
+ </constraint>
+ </properties>
+ </leafNode>
</children>
</node>
<tagNode name="group">
<properties>
<help>VRRP group</help>
</properties>
<children>
<leafNode name="interface">
<properties>
<help>Network interface</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces.py --broadcast</script>
</completionHelp>
</properties>
</leafNode>
<leafNode name="advertise-interval">
<properties>
<help>Advertise interval</help>
<valueHelp>
<format>u32:1-255</format>
<description>Advertise interval in seconds (default: 1)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-255"/>
</constraint>
</properties>
<defaultValue>1</defaultValue>
</leafNode>
<node name="authentication">
<properties>
<help>VRRP authentication</help>
</properties>
<children>
<leafNode name="password">
<properties>
<help>VRRP password</help>
<valueHelp>
<format>txt</format>
<description>Password string (up to 8 characters)</description>
</valueHelp>
<constraint>
<regex>.{1,8}</regex>
</constraint>
<constraintErrorMessage>Password must not be longer than 8 characters</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="type">
<properties>
<help>Authentication type</help>
<completionHelp>
<list>plaintext-password ah</list>
</completionHelp>
<valueHelp>
<format>plaintext-password</format>
<description>Simple password string</description>
</valueHelp>
<valueHelp>
<format>ah</format>
<description>AH - IPSEC (not recommended)</description>
</valueHelp>
<constraint>
<regex>^(plaintext-password|ah)$</regex>
</constraint>
<constraintErrorMessage>Authentication type must be plaintext-password or ah</constraintErrorMessage>
</properties>
</leafNode>
</children>
</node>
<leafNode name="description">
<properties>
<help>Group description</help>
</properties>
</leafNode>
#include <include/generic-disable-node.xml.i>
<node name="health-check">
<properties>
<help>Health check script</help>
</properties>
<children>
<leafNode name="failure-count">
<properties>
<help>Health check failure count required for transition to fault (default: 3)</help>
<constraint>
<validator name="numeric" argument="--positive" />
</constraint>
</properties>
<defaultValue>3</defaultValue>
</leafNode>
<leafNode name="interval">
<properties>
<help>Health check execution interval in seconds (default: 60)</help>
<constraint>
<validator name="numeric" argument="--positive"/>
</constraint>
</properties>
<defaultValue>60</defaultValue>
</leafNode>
<leafNode name="script">
<properties>
<help>Health check script file</help>
<constraint>
<validator name="script"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
<leafNode name="hello-source-address">
<properties>
<help>VRRP hello source address</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 hello source address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 hello source address</description>
</valueHelp>
<constraint>
<validator name="ipv4-address"/>
<validator name="ipv6-address"/>
</constraint>
</properties>
</leafNode>
<leafNode name="peer-address">
<properties>
<help>Unicast VRRP peer address</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 unicast peer address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 unicast peer address</description>
</valueHelp>
<constraint>
<validator name="ipv4-address"/>
<validator name="ipv6-address"/>
</constraint>
</properties>
</leafNode>
<leafNode name="no-preempt">
<properties>
<valueless/>
<help>Disable master preemption</help>
</properties>
</leafNode>
<leafNode name="preempt-delay">
<properties>
<help>Preempt delay (in seconds)</help>
<valueHelp>
<format>u32:0-1000</format>
<description>preempt delay</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-1000"/>
</constraint>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
<leafNode name="priority">
<properties>
<help>Router priority (default: 100)</help>
<valueHelp>
<format>u32:1-255</format>
<description>Router priority</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-255"/>
</constraint>
</properties>
<defaultValue>100</defaultValue>
</leafNode>
<leafNode name="rfc3768-compatibility">
<properties>
<valueless/>
<help>Use VRRP virtual MAC address as per RFC3768</help>
</properties>
</leafNode>
<node name="track">
<properties>
<help>Track settings</help>
</properties>
<children>
<leafNode name="exclude-vrrp-interface">
<properties>
<valueless/>
<help>Disable track state of main interface</help>
</properties>
</leafNode>
<leafNode name="interface">
<properties>
<help>Interface name state check</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces.py --broadcast</script>
</completionHelp>
<valueHelp>
<format>txt</format>
<description>Interface name</description>
</valueHelp>
<constraint>
#include <include/constraint/interface-name.xml.in>
</constraint>
<multi/>
</properties>
</leafNode>
</children>
</node>
<node name="transition-script">
<properties>
<help>VRRP transition scripts</help>
</properties>
<children>
<leafNode name="master">
<properties>
<help>Script to run on VRRP state transition to master</help>
<constraint>
<validator name="script"/>
</constraint>
</properties>
</leafNode>
<leafNode name="backup">
<properties>
<help>Script to run on VRRP state transition to backup</help>
<constraint>
<validator name="script"/>
</constraint>
</properties>
</leafNode>
<leafNode name="fault">
<properties>
<help>Script to run on VRRP state transition to fault</help>
<constraint>
<validator name="script"/>
</constraint>
</properties>
</leafNode>
<leafNode name="stop">
<properties>
<help>Script to run on VRRP state transition to stop</help>
<constraint>
<validator name="script"/>
</constraint>
</properties>
</leafNode>
<leafNode name="mode-force">
<properties>
<valueless/>
<help>Disable VRRP state checking (deprecated, will be removed in VyOS 1.4)</help>
</properties>
</leafNode>
</children>
</node>
<tagNode name="virtual-address">
<properties>
<help>Virtual address (IPv4 or IPv6, but they must not be mixed in one group)</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 virtual address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 virtual address</description>
</valueHelp>
<constraint>
<validator name="ipv4-host"/>
<validator name="ipv6-host"/>
</constraint>
<constraintErrorMessage>Virtual address must be a valid IPv4 or IPv6 address with prefix length (e.g. 192.0.2.3/24 or 2001:db8:ff::10/64)</constraintErrorMessage>
</properties>
<children>
#include <include/generic-interface-broadcast.xml.i>
</children>
</tagNode>
<leafNode name="virtual-address-excluded">
<properties>
<help>Virtual address (If you need additional IPv4 and IPv6 in same group)</help>
<valueHelp>
<format>ipv4</format>
<description>IP address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ipv4-host"/>
<validator name="ipv6-host"/>
</constraint>
<constraintErrorMessage>Virtual address must be a valid IPv4 or IPv6 address with prefix length (e.g. 192.0.2.3/24 or 2001:db8:ff::10/64)</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="vrid">
<properties>
<help>Virtual router identifier</help>
<valueHelp>
<format>u32:1-255</format>
<description>Virtual router identifier</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-255"/>
</constraint>
</properties>
</leafNode>
</children>
</tagNode>
<tagNode name="sync-group">
<properties>
<help>VRRP sync group</help>
</properties>
<children>
<leafNode name="member">
<properties>
<multi/>
<help>Sync group member</help>
<valueHelp>
<format>txt</format>
<description>VRRP group name</description>
</valueHelp>
<completionHelp>
<path>high-availability vrrp group</path>
</completionHelp>
</properties>
</leafNode>
<node name="transition-script">
<properties>
<help>VRRP transition scripts</help>
</properties>
<children>
<leafNode name="master">
<properties>
<help>Script to run on VRRP state transition to master</help>
<constraint>
<validator name="script"/>
</constraint>
</properties>
</leafNode>
<leafNode name="backup">
<properties>
<help>Script to run on VRRP state transition to backup</help>
<constraint>
<validator name="script"/>
</constraint>
</properties>
</leafNode>
<leafNode name="fault">
<properties>
<help>Script to run on VRRP state transition to fault</help>
<constraint>
<validator name="script"/>
</constraint>
</properties>
</leafNode>
<leafNode name="stop">
<properties>
<help>Script to run on VRRP state transition to stop</help>
<constraint>
<validator name="script"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
</children>
</tagNode>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/smoketest/scripts/cli/test_ha_vrrp.py b/smoketest/scripts/cli/test_ha_vrrp.py
index ad272f524..7d8d7c643 100755
--- a/smoketest/scripts/cli/test_ha_vrrp.py
+++ b/smoketest/scripts/cli/test_ha_vrrp.py
@@ -1,211 +1,214 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021-2022 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.configsession import ConfigSessionError
from vyos.ifconfig.vrrp import VRRP
from vyos.util import cmd
from vyos.util import process_named_running
from vyos.util import read_file
from vyos.template import inc_ip
PROCESS_NAME = 'keepalived'
KEEPALIVED_CONF = VRRP.location['config']
base_path = ['high-availability', 'vrrp']
vrrp_interface = 'eth1'
groups = ['VLAN77', 'VLAN78', 'VLAN201']
def getConfig(string, end='}'):
command = f'cat {KEEPALIVED_CONF} | sed -n "/^{string}/,/^{end}/p"'
out = cmd(command)
return out
class TestVRRP(VyOSUnitTestSHIM.TestCase):
def tearDown(self):
# Check for running process
self.assertTrue(process_named_running(PROCESS_NAME))
for group in groups:
vlan_id = group.lstrip('VLAN')
self.cli_delete(['interfaces', 'ethernet', vrrp_interface, 'vif', vlan_id])
self.cli_delete(base_path)
self.cli_commit()
# Process must be terminated after deleting the config
self.assertFalse(process_named_running(PROCESS_NAME))
def test_01_default_values(self):
for group in groups:
vlan_id = group.lstrip('VLAN')
vip = f'100.64.{vlan_id}.1/24'
group_base = base_path + ['group', group]
self.cli_set(['interfaces', 'ethernet', vrrp_interface, 'vif', vlan_id, 'address', inc_ip(vip, 1) + '/' + vip.split('/')[-1]])
self.cli_set(group_base + ['description', group])
self.cli_set(group_base + ['interface', f'{vrrp_interface}.{vlan_id}'])
self.cli_set(group_base + ['virtual-address', vip])
self.cli_set(group_base + ['vrid', vlan_id])
# commit changes
self.cli_commit()
for group in groups:
vlan_id = group.lstrip('VLAN')
vip = f'100.64.{vlan_id}.1/24'
config = getConfig(f'vrrp_instance {group}')
self.assertIn(f'# {group}', config)
self.assertIn(f'interface {vrrp_interface}.{vlan_id}', config)
self.assertIn(f'virtual_router_id {vlan_id}', config)
self.assertIn(f'priority 100', config) # default value
self.assertIn(f'advert_int 1', config) # default value
self.assertIn(f'preempt_delay 0', config) # default value
self.assertNotIn(f'use_vmac', config)
self.assertIn(f' {vip}', config)
def test_02_simple_options(self):
advertise_interval = '77'
priority = '123'
preempt_delay = '400'
startup_delay = '120'
+ vrrp_version = '3'
for group in groups:
vlan_id = group.lstrip('VLAN')
vip = f'100.64.{vlan_id}.1/24'
group_base = base_path + ['group', group]
global_param_base = base_path + ['global-parameters']
self.cli_set(['interfaces', 'ethernet', vrrp_interface, 'vif', vlan_id, 'address', inc_ip(vip, 1) + '/' + vip.split('/')[-1]])
self.cli_set(group_base + ['description', group])
self.cli_set(group_base + ['interface', f'{vrrp_interface}.{vlan_id}'])
self.cli_set(group_base + ['virtual-address', vip])
self.cli_set(group_base + ['vrid', vlan_id])
self.cli_set(group_base + ['advertise-interval', advertise_interval])
self.cli_set(group_base + ['priority', priority])
self.cli_set(group_base + ['preempt-delay', preempt_delay])
self.cli_set(group_base + ['rfc3768-compatibility'])
# Authentication
self.cli_set(group_base + ['authentication', 'type', 'plaintext-password'])
self.cli_set(group_base + ['authentication', 'password', f'{group}'])
# Global parameters
self.cli_set(global_param_base + ['startup-delay', f'{startup_delay}'])
+ self.cli_set(global_param_base + ['version', vrrp_version])
# commit changes
self.cli_commit()
# Check Global parameters
config = getConfig(f'global_defs')
self.assertIn(f'vrrp_startup_delay {startup_delay}', config)
+ self.assertIn(f'vrrp_version {vrrp_version}', config)
for group in groups:
vlan_id = group.lstrip('VLAN')
vip = f'100.64.{vlan_id}.1/24'
config = getConfig(f'vrrp_instance {group}')
self.assertIn(f'# {group}', config)
self.assertIn(f'state BACKUP', config)
self.assertIn(f'interface {vrrp_interface}.{vlan_id}', config)
self.assertIn(f'virtual_router_id {vlan_id}', config)
self.assertIn(f'priority {priority}', config)
self.assertIn(f'advert_int {advertise_interval}', config)
self.assertIn(f'preempt_delay {preempt_delay}', config)
self.assertIn(f'use_vmac {vrrp_interface}.{vlan_id}v{vlan_id}', config)
self.assertIn(f' {vip}', config)
# Authentication
self.assertIn(f'auth_pass "{group}"', config)
self.assertIn(f'auth_type PASS', config)
def test_03_sync_group(self):
sync_group = 'VyOS'
for group in groups:
vlan_id = group.lstrip('VLAN')
vip = f'100.64.{vlan_id}.1/24'
group_base = base_path + ['group', group]
self.cli_set(['interfaces', 'ethernet', vrrp_interface, 'vif', vlan_id, 'address', inc_ip(vip, 1) + '/' + vip.split('/')[-1]])
self.cli_set(group_base + ['interface', f'{vrrp_interface}.{vlan_id}'])
self.cli_set(group_base + ['virtual-address', vip])
self.cli_set(group_base + ['vrid', vlan_id])
self.cli_set(base_path + ['sync-group', sync_group, 'member', group])
# commit changes
self.cli_commit()
for group in groups:
vlan_id = group.lstrip('VLAN')
vip = f'100.64.{vlan_id}.1/24'
config = getConfig(f'vrrp_instance {group}')
self.assertIn(f'interface {vrrp_interface}.{vlan_id}', config)
self.assertIn(f'virtual_router_id {vlan_id}', config)
self.assertNotIn(f'use_vmac', config)
self.assertIn(f' {vip}', config)
config = getConfig(f'vrrp_sync_group {sync_group}')
self.assertIn(r'group {', config)
for group in groups:
self.assertIn(f'{group}', config)
def test_04_exclude_vrrp_interface(self):
group = 'VyOS-WAN'
none_vrrp_interface = 'eth2'
vlan_id = '24'
vip = '100.64.24.1/24'
vip_dev = '192.0.2.2/24'
vrid = '150'
group_base = base_path + ['group', group]
self.cli_set(['interfaces', 'ethernet', vrrp_interface, 'vif', vlan_id, 'address', '100.64.24.11/24'])
self.cli_set(group_base + ['interface', f'{vrrp_interface}.{vlan_id}'])
self.cli_set(group_base + ['virtual-address', vip])
self.cli_set(group_base + ['virtual-address', vip_dev, 'interface', none_vrrp_interface])
self.cli_set(group_base + ['track', 'exclude-vrrp-interface'])
self.cli_set(group_base + ['track', 'interface', none_vrrp_interface])
self.cli_set(group_base + ['vrid', vrid])
# commit changes
self.cli_commit()
config = getConfig(f'vrrp_instance {group}')
self.assertIn(f'interface {vrrp_interface}.{vlan_id}', config)
self.assertIn(f'virtual_router_id {vrid}', config)
self.assertIn(f'dont_track_primary', config)
self.assertIn(f' {vip}', config)
self.assertIn(f' {vip_dev} dev {none_vrrp_interface}', config)
self.assertIn(f'track_interface', config)
self.assertIn(f' {none_vrrp_interface}', config)
if __name__ == '__main__':
unittest.main(verbosity=2)