diff --git a/data/templates/high-availability/keepalived.conf.j2 b/data/templates/high-availability/keepalived.conf.j2
index d54f575b5..f34ce64e2 100644
--- a/data/templates/high-availability/keepalived.conf.j2
+++ b/data/templates/high-availability/keepalived.conf.j2
@@ -1,224 +1,228 @@
# Autogenerated by VyOS
# Do not edit this file, all your changes will be lost
# on next commit or reboot
# Global definitions configuration block
global_defs {
dynamic_interfaces
script_user root
{% if vrrp.global_parameters.startup_delay is vyos_defined %}
vrrp_startup_delay {{ vrrp.global_parameters.startup_delay }}
{% endif %}
{% if vrrp.global_parameters.garp is vyos_defined %}
{% if vrrp.global_parameters.garp.interval is vyos_defined %}
vrrp_garp_interval {{ vrrp.global_parameters.garp.interval }}
{% endif %}
{% if vrrp.global_parameters.garp.master_delay is vyos_defined %}
vrrp_garp_master_delay {{ vrrp.global_parameters.garp.master_delay }}
{% endif %}
{% if vrrp.global_parameters.garp.master_refresh is vyos_defined %}
vrrp_garp_master_refresh {{ vrrp.global_parameters.garp.master_refresh }}
{% endif %}
{% if vrrp.global_parameters.garp.master_refresh_repeat is vyos_defined %}
vrrp_garp_master_refresh_repeat {{ vrrp.global_parameters.garp.master_refresh_repeat }}
{% endif %}
{% if vrrp.global_parameters.garp.master_repeat is vyos_defined %}
vrrp_garp_master_repeat {{ vrrp.global_parameters.garp.master_repeat }}
{% endif %}
{% endif %}
{% if vrrp.global_parameters.version is vyos_defined %}
vrrp_version {{ vrrp.global_parameters.version }}
{% endif %}
notify_fifo /run/keepalived/keepalived_notify_fifo
notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py
}
{% if vrrp.group is vyos_defined %}
{% for name, group_config in vrrp.group.items() if group_config.disable is not vyos_defined %}
{% if group_config.health_check is vyos_defined %}
vrrp_script healthcheck_{{ name }} {
{% if group_config.health_check.script is vyos_defined %}
script "{{ group_config.health_check.script }}"
{% elif group_config.health_check.ping is vyos_defined %}
script "/usr/bin/ping -c1 {{ group_config.health_check.ping }}"
{% endif %}
interval {{ group_config.health_check.interval }}
fall {{ group_config.health_check.failure_count }}
rise 1
}
{% endif %}
vrrp_instance {{ name }} {
{% if group_config.description is vyos_defined %}
# {{ group_config.description }}
{% endif %}
state BACKUP
interface {{ group_config.interface }}
virtual_router_id {{ group_config.vrid }}
priority {{ group_config.priority }}
advert_int {{ group_config.advertise_interval }}
{% if group_config.garp is vyos_defined %}
{% if group_config.garp.interval is vyos_defined %}
garp_interval {{ group_config.garp.interval }}
{% endif %}
{% if group_config.garp.master_delay is vyos_defined %}
garp_master_delay {{ group_config.garp.master_delay }}
{% endif %}
{% if group_config.garp.master_repeat is vyos_defined %}
garp_master_repeat {{ group_config.garp.master_repeat }}
{% endif %}
{% if group_config.garp.master_refresh is vyos_defined %}
garp_master_refresh {{ group_config.garp.master_refresh }}
{% endif %}
{% if group_config.garp.master_refresh_repeat is vyos_defined %}
garp_master_refresh_repeat {{ group_config.garp.master_refresh_repeat }}
{% endif %}
{% endif %}
{% if group_config.track.exclude_vrrp_interface is vyos_defined %}
dont_track_primary
{% endif %}
{% if group_config.no_preempt is not vyos_defined and group_config.preempt_delay is vyos_defined %}
preempt_delay {{ group_config.preempt_delay }}
{% elif group_config.no_preempt is vyos_defined %}
nopreempt
{% endif %}
{% if group_config.peer_address is vyos_defined %}
- unicast_peer { {{ group_config.peer_address }} }
+ unicast_peer {
+{% for peer_address in group_config.peer_address %}
+ {{ peer_address }}
+{% endfor %}
+ }
{% endif %}
{% if group_config.hello_source_address is vyos_defined %}
{% if group_config.peer_address is vyos_defined %}
unicast_src_ip {{ group_config.hello_source_address }}
{% else %}
mcast_src_ip {{ group_config.hello_source_address }}
{% endif %}
{% endif %}
{% if group_config.rfc3768_compatibility is vyos_defined and group_config.peer_address is vyos_defined %}
use_vmac {{ group_config.interface }}v{{ group_config.vrid }}v{{ '4' if group_config['address'] | first | is_ipv4 else '6' }}
vmac_xmit_base
{% elif group_config.rfc3768_compatibility is vyos_defined %}
use_vmac {{ group_config.interface }}v{{ group_config.vrid }}v{{ '4' if group_config['address'] | first | is_ipv4 else '6' }}
{% endif %}
{% if group_config.authentication is vyos_defined %}
authentication {
auth_pass "{{ group_config.authentication.password }}"
{% if group_config.authentication.type is vyos_defined('plaintext-password') %}
auth_type PASS
{% else %}
auth_type {{ group_config.authentication.type | upper }}
{% endif %}
}
{% endif %}
{% if group_config.address is vyos_defined %}
virtual_ipaddress {
{% for addr, addr_config in group_config.address.items() %}
{{ addr }}{{ ' dev ' + addr_config.interface if addr_config.interface is vyos_defined }}
{% endfor %}
}
{% endif %}
{% if group_config.excluded_address is vyos_defined %}
virtual_ipaddress_excluded {
{% for addr in group_config.excluded_address %}
{{ addr }}
{% endfor %}
}
{% endif %}
{% if group_config.track.interface is vyos_defined %}
track_interface {
{% for interface in group_config.track.interface %}
{{ interface }}
{% endfor %}
}
{% endif %}
{% if group_config.health_check is vyos_defined %}
track_script {
healthcheck_{{ name }}
}
{% endif %}
}
{% endfor %}
{% endif %}
{% if vrrp.sync_group is vyos_defined %}
{% for name, sync_group_config in vrrp.sync_group.items() if sync_group_config.disable is not vyos_defined %}
vrrp_sync_group {{ name }} {
group {
{% if sync_group_config.member is vyos_defined %}
{% for member in sync_group_config.member %}
{{ member }}
{% endfor %}
{% endif %}
}
{# Health-check scripts should be in section sync-group if member is part of the sync-group T4081 #}
{% if vrrp.group is vyos_defined %}
{% for name, group_config in vrrp.group.items() if group_config.disable is not vyos_defined %}
{% if group_config.health_check.script is vyos_defined and name in sync_group_config.member %}
track_script {
healthcheck_{{ name }}
}
{% endif %}
{% endfor %}
{% endif %}
{% if conntrack_sync_group is vyos_defined(name) %}
{% set vyos_helper = "/usr/libexec/vyos/vyos-vrrp-conntracksync.sh" %}
notify_master "{{ vyos_helper }} master {{ name }}"
notify_backup "{{ vyos_helper }} backup {{ name }}"
notify_fault "{{ vyos_helper }} fault {{ name }}"
{% endif %}
}
{% endfor %}
{% endif %}
{% if virtual_server is vyos_defined %}
# Virtual-server configuration
{% for vserver, vserver_config in virtual_server.items() %}
# Vserver {{ vserver }}
{% if vserver_config.port is vyos_defined %}
virtual_server {{ vserver_config.address }} {{ vserver_config.port }} {
{% else %}
virtual_server fwmark {{ vserver_config.fwmark }} {
{% endif %}
delay_loop {{ vserver_config.delay_loop }}
{% if vserver_config.algorithm is vyos_defined('round-robin') %}
lb_algo rr
{% elif vserver_config.algorithm is vyos_defined('weighted-round-robin') %}
lb_algo wrr
{% elif vserver_config.algorithm is vyos_defined('least-connection') %}
lb_algo lc
{% elif vserver_config.algorithm is vyos_defined('weighted-least-connection') %}
lb_algo wlc
{% elif vserver_config.algorithm is vyos_defined('source-hashing') %}
lb_algo sh
{% elif vserver_config.algorithm is vyos_defined('destination-hashing') %}
lb_algo dh
{% elif vserver_config.algorithm is vyos_defined('locality-based-least-connection') %}
lb_algo lblc
{% endif %}
{% if vserver_config.forward_method is vyos_defined('nat') %}
lb_kind NAT
{% elif vserver_config.forward_method is vyos_defined('direct') %}
lb_kind DR
{% elif vserver_config.forward_method is vyos_defined('tunnel') %}
lb_kind TUN
{% endif %}
persistence_timeout {{ vserver_config.persistence_timeout }}
protocol {{ vserver_config.protocol | upper }}
{% if vserver_config.real_server is vyos_defined %}
{% for rserver, rserver_config in vserver_config.real_server.items() %}
real_server {{ rserver }} {{ rserver_config.port }} {
weight 1
{% if rserver_config.health_check.script is vyos_defined %}
MISC_CHECK {
misc_path {{ rserver_config.health_check.script }}
{% else %}
{{ vserver_config.protocol | upper }}_CHECK {
{% if rserver_config.connection_timeout is vyos_defined %}
connect_timeout {{ rserver_config.connection_timeout }}
{% endif %}
{% endif %}
}
}
{% endfor %}
{% endif %}
}
{% endfor %}
{% endif %}
diff --git a/interface-definitions/high-availability.xml.in b/interface-definitions/high-availability.xml.in
index 59f0f1052..aef57f8ae 100644
--- a/interface-definitions/high-availability.xml.in
+++ b/interface-definitions/high-availability.xml.in
@@ -1,509 +1,510 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="high-availability" owner="${vyos_conf_scripts_dir}/high-availability.py">
<properties>
<priority>800</priority> <!-- after all interfaces and conntrack-sync -->
<help>High availability settings</help>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
<node name="vrrp">
<properties>
<help>Virtual Router Redundancy Protocol settings</help>
</properties>
<children>
<leafNode name="snmp">
<properties>
<valueless/>
<help>Enable SNMP</help>
</properties>
</leafNode>
<node name="global-parameters">
<properties>
<help>VRRP global parameters</help>
</properties>
<children>
#include <include/vrrp/garp.xml.i>
<leafNode name="startup-delay">
<properties>
<help>Time VRRP startup process (in seconds)</help>
<valueHelp>
<format>u32:1-600</format>
<description>Interval in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-600"/>
</constraint>
</properties>
</leafNode>
<leafNode name="version">
<properties>
<help>Default VRRP version to use, IPv6 always uses VRRP version 3</help>
<valueHelp>
<format>2</format>
<description>VRRP version 2</description>
</valueHelp>
<valueHelp>
<format>3</format>
<description>VRRP version 3</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 2-3"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
<tagNode name="group">
<properties>
<help>VRRP group</help>
</properties>
<children>
#include <include/generic-interface-broadcast.xml.i>
#include <include/vrrp/garp.xml.i>
<leafNode name="advertise-interval">
<properties>
<help>Advertise interval</help>
<valueHelp>
<format>u32:1-255</format>
<description>Advertise interval in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-255"/>
</constraint>
</properties>
<defaultValue>1</defaultValue>
</leafNode>
<node name="authentication">
<properties>
<help>VRRP authentication</help>
</properties>
<children>
<leafNode name="password">
<properties>
<help>VRRP password</help>
<valueHelp>
<format>txt</format>
<description>Password string (up to 8 characters)</description>
</valueHelp>
<constraint>
<regex>.{1,8}</regex>
</constraint>
<constraintErrorMessage>Password must not be longer than 8 characters</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="type">
<properties>
<help>Authentication type</help>
<completionHelp>
<list>plaintext-password ah</list>
</completionHelp>
<valueHelp>
<format>plaintext-password</format>
<description>Simple password string</description>
</valueHelp>
<valueHelp>
<format>ah</format>
<description>AH - IPSEC (not recommended)</description>
</valueHelp>
<constraint>
<regex>(plaintext-password|ah)</regex>
</constraint>
<constraintErrorMessage>Authentication type must be plaintext-password or ah</constraintErrorMessage>
</properties>
</leafNode>
</children>
</node>
#include <include/generic-description.xml.i>
#include <include/generic-disable-node.xml.i>
<node name="health-check">
<properties>
<help>Health check</help>
</properties>
<children>
<leafNode name="failure-count">
<properties>
<help>Health check failure count required for transition to fault</help>
<constraint>
<validator name="numeric" argument="--positive" />
</constraint>
</properties>
<defaultValue>3</defaultValue>
</leafNode>
<leafNode name="interval">
<properties>
<help>Health check execution interval in seconds</help>
<constraint>
<validator name="numeric" argument="--positive"/>
</constraint>
</properties>
<defaultValue>60</defaultValue>
</leafNode>
<leafNode name="ping">
<properties>
<help>ICMP ping health check</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 ping target address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 ping target address</description>
</valueHelp>
<constraint>
<validator name="ip-address"/>
</constraint>
</properties>
</leafNode>
<leafNode name="script">
<properties>
<help>Health check script file</help>
<constraint>
<validator name="script"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
<leafNode name="hello-source-address">
<properties>
<help>VRRP hello source address</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 hello source address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 hello source address</description>
</valueHelp>
<constraint>
<validator name="ip-address"/>
</constraint>
</properties>
</leafNode>
<leafNode name="peer-address">
<properties>
<help>Unicast VRRP peer address</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 unicast peer address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 unicast peer address</description>
</valueHelp>
<constraint>
<validator name="ip-address"/>
</constraint>
+ <multi/>
</properties>
</leafNode>
<leafNode name="no-preempt">
<properties>
<valueless/>
<help>Disable master preemption</help>
</properties>
</leafNode>
<leafNode name="preempt-delay">
<properties>
<help>Preempt delay (in seconds)</help>
<valueHelp>
<format>u32:0-1000</format>
<description>preempt delay</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-1000"/>
</constraint>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
<leafNode name="priority">
<properties>
<help>Router priority</help>
<valueHelp>
<format>u32:1-255</format>
<description>Router priority</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-255"/>
</constraint>
</properties>
<defaultValue>100</defaultValue>
</leafNode>
<leafNode name="rfc3768-compatibility">
<properties>
<help>Use VRRP virtual MAC address as per RFC3768</help>
<valueless/>
</properties>
</leafNode>
<node name="track">
<properties>
<help>Track settings</help>
</properties>
<children>
<leafNode name="exclude-vrrp-interface">
<properties>
<valueless/>
<help>Disable track state of main interface</help>
</properties>
</leafNode>
<leafNode name="interface">
<properties>
<help>Interface name state check</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces --broadcast</script>
</completionHelp>
<valueHelp>
<format>txt</format>
<description>Interface name</description>
</valueHelp>
<constraint>
#include <include/constraint/interface-name.xml.i>
</constraint>
<multi/>
</properties>
</leafNode>
</children>
</node>
#include <include/vrrp-transition-script.xml.i>
<tagNode name="address">
<properties>
<help>Virtual IP address</help>
<valueHelp>
<format>ipv4net</format>
<description>IPv4 address and prefix length</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 address and prefix length</description>
</valueHelp>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address</description>
</valueHelp>
<constraint>
<validator name="ip-host"/>
<validator name="ip-address"/>
</constraint>
</properties>
<children>
#include <include/generic-interface-broadcast.xml.i>
</children>
</tagNode>
<leafNode name="excluded-address">
<properties>
<help>Virtual address (If you need additional IPv4 and IPv6 in same group)</help>
<valueHelp>
<format>ipv4</format>
<description>IP address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ipv4-host"/>
<validator name="ipv6-host"/>
</constraint>
<constraintErrorMessage>Virtual address must be a valid IPv4 or IPv6 address with prefix length (e.g. 192.0.2.3/24 or 2001:db8:ff::10/64)</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="vrid">
<properties>
<help>Virtual router identifier</help>
<valueHelp>
<format>u32:1-255</format>
<description>Virtual router identifier</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-255"/>
</constraint>
</properties>
</leafNode>
</children>
</tagNode>
<tagNode name="sync-group">
<properties>
<help>VRRP sync group</help>
</properties>
<children>
<leafNode name="member">
<properties>
<multi/>
<help>Sync group member</help>
<valueHelp>
<format>txt</format>
<description>VRRP group name</description>
</valueHelp>
<completionHelp>
<path>high-availability vrrp group</path>
</completionHelp>
</properties>
</leafNode>
#include <include/vrrp-transition-script.xml.i>
</children>
</tagNode>
</children>
</node>
<tagNode name="virtual-server">
<properties>
<help>Load-balancing virtual server alias</help>
</properties>
<children>
#include <include/address-ipv4-ipv6-single.xml.i>
<leafNode name="algorithm">
<properties>
<help>Schedule algorithm (default - least-connection)</help>
<completionHelp>
<list>round-robin weighted-round-robin least-connection weighted-least-connection source-hashing destination-hashing locality-based-least-connection</list>
</completionHelp>
<valueHelp>
<format>round-robin</format>
<description>Round robin</description>
</valueHelp>
<valueHelp>
<format>weighted-round-robin</format>
<description>Weighted round robin</description>
</valueHelp>
<valueHelp>
<format>least-connection</format>
<description>Least connection</description>
</valueHelp>
<valueHelp>
<format>weighted-least-connection</format>
<description>Weighted least connection</description>
</valueHelp>
<valueHelp>
<format>source-hashing</format>
<description>Source hashing</description>
</valueHelp>
<valueHelp>
<format>destination-hashing</format>
<description>Destination hashing</description>
</valueHelp>
<valueHelp>
<format>locality-based-least-connection</format>
<description>Locality-Based least connection</description>
</valueHelp>
<constraint>
<regex>(round-robin|weighted-round-robin|least-connection|weighted-least-connection|source-hashing|destination-hashing|locality-based-least-connection)</regex>
</constraint>
</properties>
<defaultValue>least-connection</defaultValue>
</leafNode>
<leafNode name="delay-loop">
<properties>
<help>Interval between health-checks (in seconds)</help>
<valueHelp>
<format>u32:1-600</format>
<description>Interval in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-3600"/>
</constraint>
</properties>
<defaultValue>10</defaultValue>
</leafNode>
<leafNode name="forward-method">
<properties>
<help>Forwarding method</help>
<completionHelp>
<list>direct nat tunnel</list>
</completionHelp>
<valueHelp>
<format>direct</format>
<description>Direct routing</description>
</valueHelp>
<valueHelp>
<format>nat</format>
<description>NAT</description>
</valueHelp>
<valueHelp>
<format>tunnel</format>
<description>Tunneling</description>
</valueHelp>
<constraint>
<regex>(direct|nat|tunnel)</regex>
</constraint>
</properties>
<defaultValue>nat</defaultValue>
</leafNode>
#include <include/firewall/fwmark.xml.i>
#include <include/port-number-start-zero.xml.i>
<leafNode name="persistence-timeout">
<properties>
<help>Timeout for persistent connections</help>
<valueHelp>
<format>u32:1-86400</format>
<description>Timeout for persistent connections</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-86400"/>
</constraint>
</properties>
<defaultValue>300</defaultValue>
</leafNode>
<leafNode name="protocol">
<properties>
<help>Protocol for port checks</help>
<completionHelp>
<list>tcp udp</list>
</completionHelp>
<valueHelp>
<format>tcp</format>
<description>TCP</description>
</valueHelp>
<valueHelp>
<format>udp</format>
<description>UDP</description>
</valueHelp>
<constraint>
<regex>(tcp|udp)</regex>
</constraint>
</properties>
<defaultValue>tcp</defaultValue>
</leafNode>
<tagNode name="real-server">
<properties>
<help>Real server address</help>
</properties>
<children>
#include <include/port-number-start-zero.xml.i>
<leafNode name="connection-timeout">
<properties>
<help>Server connection timeout</help>
<valueHelp>
<format>u32:1-86400</format>
<description>Connection timeout to remote server</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-86400"/>
</constraint>
</properties>
</leafNode>
<node name="health-check">
<properties>
<help>Health check script</help>
</properties>
<children>
<leafNode name="script">
<properties>
<help>Health check script file</help>
<constraint>
<validator name="script"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
</children>
</tagNode>
</children>
</tagNode>
</children>
</node>
</interfaceDefinition>
diff --git a/smoketest/scripts/cli/test_high-availability_vrrp.py b/smoketest/scripts/cli/test_high-availability_vrrp.py
index 98259d830..1bb35e422 100755
--- a/smoketest/scripts/cli/test_high-availability_vrrp.py
+++ b/smoketest/scripts/cli/test_high-availability_vrrp.py
@@ -1,241 +1,268 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.configsession import ConfigSessionError
from vyos.ifconfig.vrrp import VRRP
from vyos.utils.process import cmd
from vyos.utils.process import process_named_running
from vyos.utils.file import read_file
from vyos.template import inc_ip
PROCESS_NAME = 'keepalived'
KEEPALIVED_CONF = VRRP.location['config']
base_path = ['high-availability']
vrrp_interface = 'eth1'
groups = ['VLAN77', 'VLAN78', 'VLAN201']
def getConfig(string, end='}'):
command = f'cat {KEEPALIVED_CONF} | sed -n "/^{string}/,/^{end}/p"'
out = cmd(command)
return out
class TestVRRP(VyOSUnitTestSHIM.TestCase):
def tearDown(self):
# Check for running process
self.assertTrue(process_named_running(PROCESS_NAME))
for group in groups:
vlan_id = group.lstrip('VLAN')
self.cli_delete(['interfaces', 'ethernet', vrrp_interface, 'vif', vlan_id])
self.cli_delete(base_path)
self.cli_commit()
# Process must be terminated after deleting the config
self.assertFalse(process_named_running(PROCESS_NAME))
def test_01_default_values(self):
for group in groups:
vlan_id = group.lstrip('VLAN')
vip = f'100.64.{vlan_id}.1/24'
group_base = base_path + ['vrrp', 'group', group]
self.cli_set(['interfaces', 'ethernet', vrrp_interface, 'vif', vlan_id, 'address', inc_ip(vip, 1) + '/' + vip.split('/')[-1]])
self.cli_set(group_base + ['description', group])
self.cli_set(group_base + ['interface', f'{vrrp_interface}.{vlan_id}'])
self.cli_set(group_base + ['address', vip])
self.cli_set(group_base + ['vrid', vlan_id])
# commit changes
self.cli_commit()
for group in groups:
vlan_id = group.lstrip('VLAN')
vip = f'100.64.{vlan_id}.1/24'
config = getConfig(f'vrrp_instance {group}')
self.assertIn(f'# {group}', config)
self.assertIn(f'interface {vrrp_interface}.{vlan_id}', config)
self.assertIn(f'virtual_router_id {vlan_id}', config)
self.assertIn(f'priority 100', config) # default value
self.assertIn(f'advert_int 1', config) # default value
self.assertIn(f'preempt_delay 0', config) # default value
self.assertNotIn(f'use_vmac', config)
self.assertIn(f' {vip}', config)
def test_02_simple_options(self):
advertise_interval = '77'
priority = '123'
preempt_delay = '400'
startup_delay = '120'
garp_master_delay = '2'
garp_master_repeat = '3'
garp_master_refresh = '4'
garp_master_refresh_repeat = '5'
garp_interval = '1.5'
group_garp_master_delay = '12'
group_garp_master_repeat = '13'
group_garp_master_refresh = '14'
vrrp_version = '3'
for group in groups:
vlan_id = group.lstrip('VLAN')
vip = f'100.64.{vlan_id}.1/24'
group_base = base_path + ['vrrp', 'group', group]
global_param_base = base_path + ['vrrp', 'global-parameters']
self.cli_set(['interfaces', 'ethernet', vrrp_interface, 'vif', vlan_id, 'address', inc_ip(vip, 1) + '/' + vip.split('/')[-1]])
self.cli_set(group_base + ['description', group])
self.cli_set(group_base + ['interface', f'{vrrp_interface}.{vlan_id}'])
self.cli_set(group_base + ['address', vip])
self.cli_set(group_base + ['vrid', vlan_id])
self.cli_set(group_base + ['advertise-interval', advertise_interval])
self.cli_set(group_base + ['priority', priority])
self.cli_set(group_base + ['preempt-delay', preempt_delay])
self.cli_set(group_base + ['rfc3768-compatibility'])
# Authentication
self.cli_set(group_base + ['authentication', 'type', 'plaintext-password'])
self.cli_set(group_base + ['authentication', 'password', f'{group}'])
# GARP
self.cli_set(group_base + ['garp', 'master-delay', group_garp_master_delay])
self.cli_set(group_base + ['garp', 'master-repeat', group_garp_master_repeat])
self.cli_set(group_base + ['garp', 'master-refresh', group_garp_master_refresh])
# Global parameters
#config = getConfig(f'global_defs')
self.cli_set(global_param_base + ['startup-delay', f'{startup_delay}'])
self.cli_set(global_param_base + ['garp', 'interval', f'{garp_interval}'])
self.cli_set(global_param_base + ['garp', 'master-delay', f'{garp_master_delay}'])
self.cli_set(global_param_base + ['garp', 'master-repeat', f'{garp_master_repeat}'])
self.cli_set(global_param_base + ['garp', 'master-refresh', f'{garp_master_refresh}'])
self.cli_set(global_param_base + ['garp', 'master-refresh-repeat', f'{garp_master_refresh_repeat}'])
self.cli_set(global_param_base + ['version', vrrp_version])
# commit changes
self.cli_commit()
# Check Global parameters
config = getConfig(f'global_defs')
self.assertIn(f'vrrp_startup_delay {startup_delay}', config)
self.assertIn(f'vrrp_garp_interval {garp_interval}', config)
self.assertIn(f'vrrp_garp_master_delay {garp_master_delay}', config)
self.assertIn(f'vrrp_garp_master_repeat {garp_master_repeat}', config)
self.assertIn(f'vrrp_garp_master_refresh {garp_master_refresh}', config)
self.assertIn(f'vrrp_garp_master_refresh_repeat {garp_master_refresh_repeat}', config)
self.assertIn(f'vrrp_version {vrrp_version}', config)
for group in groups:
vlan_id = group.lstrip('VLAN')
vip = f'100.64.{vlan_id}.1/24'
config = getConfig(f'vrrp_instance {group}')
self.assertIn(f'# {group}', config)
self.assertIn(f'state BACKUP', config)
self.assertIn(f'interface {vrrp_interface}.{vlan_id}', config)
self.assertIn(f'virtual_router_id {vlan_id}', config)
self.assertIn(f'priority {priority}', config)
self.assertIn(f'advert_int {advertise_interval}', config)
self.assertIn(f'preempt_delay {preempt_delay}', config)
self.assertIn(f'use_vmac {vrrp_interface}.{vlan_id}v{vlan_id}', config)
self.assertIn(f' {vip}', config)
# Authentication
self.assertIn(f'auth_pass "{group}"', config)
self.assertIn(f'auth_type PASS', config)
#GARP
self.assertIn(f'garp_master_delay {group_garp_master_delay}', config)
self.assertIn(f'garp_master_refresh {group_garp_master_refresh}', config)
self.assertIn(f'garp_master_repeat {group_garp_master_repeat}', config)
def test_03_sync_group(self):
sync_group = 'VyOS'
for group in groups:
vlan_id = group.lstrip('VLAN')
vip = f'100.64.{vlan_id}.1/24'
group_base = base_path + ['vrrp', 'group', group]
self.cli_set(['interfaces', 'ethernet', vrrp_interface, 'vif', vlan_id, 'address', inc_ip(vip, 1) + '/' + vip.split('/')[-1]])
self.cli_set(group_base + ['interface', f'{vrrp_interface}.{vlan_id}'])
self.cli_set(group_base + ['address', vip])
self.cli_set(group_base + ['vrid', vlan_id])
self.cli_set(base_path + ['vrrp', 'sync-group', sync_group, 'member', group])
# commit changes
self.cli_commit()
for group in groups:
vlan_id = group.lstrip('VLAN')
vip = f'100.64.{vlan_id}.1/24'
config = getConfig(f'vrrp_instance {group}')
self.assertIn(f'interface {vrrp_interface}.{vlan_id}', config)
self.assertIn(f'virtual_router_id {vlan_id}', config)
self.assertNotIn(f'use_vmac', config)
self.assertIn(f' {vip}', config)
config = getConfig(f'vrrp_sync_group {sync_group}')
self.assertIn(r'group {', config)
for group in groups:
self.assertIn(f'{group}', config)
def test_04_exclude_vrrp_interface(self):
group = 'VyOS-WAN'
none_vrrp_interface = 'eth2'
vlan_id = '24'
vip = '100.64.24.1/24'
vip_dev = '192.0.2.2/24'
vrid = '150'
group_base = base_path + ['vrrp', 'group', group]
self.cli_set(['interfaces', 'ethernet', vrrp_interface, 'vif', vlan_id, 'address', '100.64.24.11/24'])
self.cli_set(group_base + ['interface', f'{vrrp_interface}.{vlan_id}'])
self.cli_set(group_base + ['address', vip])
self.cli_set(group_base + ['address', vip_dev, 'interface', none_vrrp_interface])
self.cli_set(group_base + ['track', 'exclude-vrrp-interface'])
self.cli_set(group_base + ['track', 'interface', none_vrrp_interface])
self.cli_set(group_base + ['vrid', vrid])
# commit changes
self.cli_commit()
config = getConfig(f'vrrp_instance {group}')
self.assertIn(f'interface {vrrp_interface}.{vlan_id}', config)
self.assertIn(f'virtual_router_id {vrid}', config)
self.assertIn(f'dont_track_primary', config)
self.assertIn(f' {vip}', config)
self.assertIn(f' {vip_dev} dev {none_vrrp_interface}', config)
self.assertIn(f'track_interface', config)
self.assertIn(f' {none_vrrp_interface}', config)
+ def test_05_set_multiple_peer_address(self):
+ group = 'VyOS-WAN'
+ vlan_id = '24'
+ vip = '100.64.24.1/24'
+ peer_address_1 = '192.0.2.1'
+ peer_address_2 = '192.0.2.2'
+ vrid = '150'
+ group_base = base_path + ['vrrp', 'group', group]
+
+ self.cli_set(['interfaces', 'ethernet', vrrp_interface, 'vif', vlan_id, 'address', '100.64.24.11/24'])
+ self.cli_set(group_base + ['interface', vrrp_interface])
+ self.cli_set(group_base + ['address', vip])
+ self.cli_set(group_base + ['peer-address', peer_address_1])
+ self.cli_set(group_base + ['peer-address', peer_address_2])
+ self.cli_set(group_base + ['vrid', vrid])
+
+ # commit changes
+ self.cli_commit()
+
+ config = getConfig(f'vrrp_instance {group}')
+
+ self.assertIn(f'interface {vrrp_interface}', config)
+ self.assertIn(f'virtual_router_id {vrid}', config)
+ self.assertIn(f'unicast_peer', config)
+ self.assertIn(f' {peer_address_1}', config)
+ self.assertIn(f' {peer_address_2}', config)
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/high-availability.py b/src/conf_mode/high-availability.py
index b3b27b14e..59d49ea67 100755
--- a/src/conf_mode/high-availability.py
+++ b/src/conf_mode/high-availability.py
@@ -1,217 +1,219 @@
#!/usr/bin/env python3
#
# Copyright (C) 2018-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import time
from sys import exit
from ipaddress import ip_interface
from ipaddress import IPv4Interface
from ipaddress import IPv6Interface
from vyos.base import Warning
from vyos.config import Config
from vyos.configdict import leaf_node_changed
from vyos.ifconfig.vrrp import VRRP
from vyos.template import render
from vyos.template import is_ipv4
from vyos.template import is_ipv6
from vyos.utils.network import is_ipv6_tentative
from vyos.utils.process import call
from vyos import ConfigError
from vyos import airbag
airbag.enable()
systemd_override = r'/run/systemd/system/keepalived.service.d/10-override.conf'
def get_config(config=None):
if config:
conf = config
else:
conf = Config()
base = ['high-availability']
if not conf.exists(base):
return None
ha = conf.get_config_dict(base, key_mangling=('-', '_'),
no_tag_node_value_mangle=True,
get_first_key=True, with_defaults=True)
## Get the sync group used for conntrack-sync
conntrack_path = ['service', 'conntrack-sync', 'failover-mechanism', 'vrrp', 'sync-group']
if conf.exists(conntrack_path):
ha['conntrack_sync_group'] = conf.return_value(conntrack_path)
if leaf_node_changed(conf, base + ['vrrp', 'snmp']):
ha.update({'restart_required': {}})
return ha
def verify(ha):
if not ha or 'disable' in ha:
return None
used_vrid_if = []
if 'vrrp' in ha and 'group' in ha['vrrp']:
for group, group_config in ha['vrrp']['group'].items():
# Check required fields
if 'vrid' not in group_config:
raise ConfigError(f'VRID is required but not set in VRRP group "{group}"')
if 'interface' not in group_config:
raise ConfigError(f'Interface is required but not set in VRRP group "{group}"')
if 'address' not in group_config:
raise ConfigError(f'Virtual IP address is required but not set in VRRP group "{group}"')
if 'authentication' in group_config:
if not {'password', 'type'} <= set(group_config['authentication']):
raise ConfigError(f'Authentication requires both type and passwortd to be set in VRRP group "{group}"')
if 'health_check' in group_config:
health_check_types = ["script", "ping"]
from vyos.utils.dict import check_mutually_exclusive_options
try:
check_mutually_exclusive_options(group_config["health_check"], health_check_types, required=True)
except ValueError:
Warning(f'Health check configuration for VRRP group "{group}" will remain unused ' \
f'until it has one of the following options: {health_check_types}')
# XXX: health check has default options so we need to remove it
# to avoid generating useless config statements in keepalived.conf
del group_config["health_check"]
# Keepalived doesn't allow mixing IPv4 and IPv6 in one group, so we mirror that restriction
# We also need to make sure VRID is not used twice on the same interface with the
# same address family.
interface = group_config['interface']
vrid = group_config['vrid']
# XXX: filter on map object is destructive, so we force it to list.
# Additionally, filter objects always evaluate to True, empty or not,
# so we force them to lists as well.
vaddrs = list(map(lambda i: ip_interface(i), group_config['address']))
vaddrs4 = list(filter(lambda x: isinstance(x, IPv4Interface), vaddrs))
vaddrs6 = list(filter(lambda x: isinstance(x, IPv6Interface), vaddrs))
if vaddrs4 and vaddrs6:
raise ConfigError(f'VRRP group "{group}" mixes IPv4 and IPv6 virtual addresses, this is not allowed.\n' \
'Create individual groups for IPv4 and IPv6!')
if vaddrs4:
tmp = {'interface': interface, 'vrid': vrid, 'ipver': 'IPv4'}
if tmp in used_vrid_if:
raise ConfigError(f'VRID "{vrid}" can only be used once on interface "{interface} with address family IPv4"!')
used_vrid_if.append(tmp)
if 'hello_source_address' in group_config:
if is_ipv6(group_config['hello_source_address']):
raise ConfigError(f'VRRP group "{group}" uses IPv4 but hello-source-address is IPv6!')
if 'peer_address' in group_config:
- if is_ipv6(group_config['peer_address']):
- raise ConfigError(f'VRRP group "{group}" uses IPv4 but peer-address is IPv6!')
+ for peer_address in group_config['peer_address']:
+ if is_ipv6(peer_address):
+ raise ConfigError(f'VRRP group "{group}" uses IPv4 but peer-address is IPv6!')
if vaddrs6:
tmp = {'interface': interface, 'vrid': vrid, 'ipver': 'IPv6'}
if tmp in used_vrid_if:
raise ConfigError(f'VRID "{vrid}" can only be used once on interface "{interface} with address family IPv6"!')
used_vrid_if.append(tmp)
if 'hello_source_address' in group_config:
if is_ipv4(group_config['hello_source_address']):
raise ConfigError(f'VRRP group "{group}" uses IPv6 but hello-source-address is IPv4!')
if 'peer_address' in group_config:
- if is_ipv4(group_config['peer_address']):
- raise ConfigError(f'VRRP group "{group}" uses IPv6 but peer-address is IPv4!')
+ for peer_address in group_config['peer_address']:
+ if is_ipv4(peer_address):
+ raise ConfigError(f'VRRP group "{group}" uses IPv6 but peer-address is IPv4!')
# Check sync groups
if 'vrrp' in ha and 'sync_group' in ha['vrrp']:
for sync_group, sync_config in ha['vrrp']['sync_group'].items():
if 'member' in sync_config:
for member in sync_config['member']:
if member not in ha['vrrp']['group']:
raise ConfigError(f'VRRP sync-group "{sync_group}" refers to VRRP group "{member}", '\
'but it does not exist!')
# Virtual-server
if 'virtual_server' in ha:
for vs, vs_config in ha['virtual_server'].items():
if 'address' not in vs_config and 'fwmark' not in vs_config:
raise ConfigError('Either address or fwmark is required '
f'but not set for virtual-server "{vs}"')
if 'port' not in vs_config and 'fwmark' not in vs_config:
raise ConfigError(f'Port or fwmark is required but not set for virtual-server "{vs}"')
if 'port' in vs_config and 'fwmark' in vs_config:
raise ConfigError(f'Cannot set both port and fwmark for virtual-server "{vs}"')
if 'real_server' not in vs_config:
raise ConfigError(f'Real-server ip is required but not set for virtual-server "{vs}"')
# Real-server
for rs, rs_config in vs_config['real_server'].items():
if 'port' not in rs_config:
raise ConfigError(f'Port is required but not set for virtual-server "{vs}" real-server "{rs}"')
def generate(ha):
if not ha or 'disable' in ha:
if os.path.isfile(systemd_override):
os.unlink(systemd_override)
return None
render(VRRP.location['config'], 'high-availability/keepalived.conf.j2', ha)
render(systemd_override, 'high-availability/10-override.conf.j2', ha)
return None
def apply(ha):
service_name = 'keepalived.service'
call('systemctl daemon-reload')
if not ha or 'disable' in ha:
call(f'systemctl stop {service_name}')
return None
# Check if IPv6 address is tentative T5533
for group, group_config in ha.get('vrrp', {}).get('group', {}).items():
if 'hello_source_address' in group_config:
if is_ipv6(group_config['hello_source_address']):
ipv6_address = group_config['hello_source_address']
interface = group_config['interface']
checks = 20
interval = 0.1
for _ in range(checks):
if is_ipv6_tentative(interface, ipv6_address):
time.sleep(interval)
systemd_action = 'reload-or-restart'
if 'restart_required' in ha:
systemd_action = 'restart'
call(f'systemctl {systemd_action} {service_name}')
return None
if __name__ == '__main__':
try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
exit(1)