linux - keepalive 启动后自动添加iptables drop掉VIP
本文介绍了linux - keepalive 启动后自动添加iptables drop掉VIP的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
问 题
keepalive 启动后自动添加iptables drop掉VIP
导致VIP不能ping通,
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:d1:e1:87 brd ff:ff:ff:ff:ff:ff
inet 192.168.71.128/24 brd 192.168.71.255 scope global eth0
inet 192.168.71.100/32 scope global eth0
inet6 fe80::20c:29ff:fed1:e187/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 192.168.71.100
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# cat /etc/keepalive/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_DEVEL
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 128
priority 200
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.71.100
}
}
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:2c:24:20 brd ff:ff:ff:ff:ff:ff
inet 192.168.71.129/24 brd 192.168.71.255 scope global eth0
inet 192.168.71.100/32 scope global eth0
inet6 fe80::20c:29ff:fe2c:2420/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 192.168.71.100
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# cat /etc/keepalive/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_DEVEL
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 138
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.71.100
}
}
解决方案
# Enforce strict VRRP protocol compliance. This will prohibit:
# 0 VIPs
# unicast peers
# IPv6 addresses in VRRP version 2
vrrp_strict
https://github.com/acassen/ke...
iptables entries should only be added if strict or noaccept is configured against the vrrp instance, or vrrp_strict is configured in global_defs. This is to comply with RFC5798 Accept_Mode, except that unless strict is specified, the default is to set Accept_Mode (i.e. allow packets to be received by the virtual IP address) whereas the RFC states that the default should be Accept_Mode is false.
You could try specifying accept against the vrrp instances, so see if that stops the iptables entries being added.
Could you post a copy of your keepalived config so that we can test it to make sure there isn't a problem with the logic in this area in keepalived. I have tested a minimal config without strict oro noaccept set, and it doesn't add iptables entries for me.
https://www.rfc-editor.org/rf...
Accept_Mode Controls whether a virtual router in
Master state will accept packets
addressed to the address owner's IPvX
address as its own if it is not the IPvX
address owner. The default is False.
Deployments that rely on, for example,
pinging the address owner's IPvX address
may wish to configure Accept_Mode to
True.
Note: IPv6 Neighbor Solicitations and
Neighbor Advertisements MUST NOT be
dropped when Accept_Mode is False.
这篇关于linux - keepalive 启动后自动添加iptables drop掉VIP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文