keepalive 启动后自动添加iptables drop掉VIP

Question

keepalive 启动后自动添加iptables drop掉VIP
导致VIP不能ping通，

[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:d1:e1:87 brd ff:ff:ff:ff:ff:ff
    inet 192.168.71.128/24 brd 192.168.71.255 scope global eth0
    inet 192.168.71.100/32 scope global eth0
    inet6 fe80::20c:29ff:fed1:e187/64 scope link 
       valid_lft forever preferred_lft forever
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             192.168.71.100      

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@localhost ~]# cat /etc/keepalive/keepalived.conf 
! Configuration File for keepalived

global_defs {
   notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 192.168.200.1
   smtp_connect_timeout 30
   router_id LVS_DEVEL
   vrrp_skip_check_adv_addr
   vrrp_strict
   vrrp_garp_interval 0
   vrrp_gna_interval 0
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 128
    priority 200
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.71.100
    }
}

[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:2c:24:20 brd ff:ff:ff:ff:ff:ff
    inet 192.168.71.129/24 brd 192.168.71.255 scope global eth0
    inet 192.168.71.100/32 scope global eth0
    inet6 fe80::20c:29ff:fe2c:2420/64 scope link 
       valid_lft forever preferred_lft forever
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             192.168.71.100      

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@localhost ~]# cat /etc/keepalive/keepalived.conf 
! Configuration File for keepalived

global_defs {
   notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 192.168.200.1
   smtp_connect_timeout 30
   router_id LVS_DEVEL
   vrrp_skip_check_adv_addr
   vrrp_strict
   vrrp_garp_interval 0
   vrrp_gna_interval 0
}

vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    virtual_router_id 138
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.71.100
    }
}

Answer 1

# Enforce strict VRRP protocol compliance. This will prohibit:
#   0 VIPs
#   unicast peers
#   IPv6 addresses in VRRP version 2
vrrp_strict

https://github.com/acassen/ke...

iptables entries should only be added if  strict  or  noaccept  is configured against the vrrp instance, or  vrrp_strict  is configured in global_defs. This is to comply with RFC5798 Accept_Mode, except that unless  strict  is specified, the default is to set Accept_Mode (i.e. allow packets to be received by the virtual IP address) whereas the RFC states that the default should be Accept_Mode is false.

You could try specifying  accept  against the vrrp instances, so see if that stops the iptables entries being added.

Could you post a copy of your keepalived config so that we can test it to make sure there isn't a problem with the logic in this area in keepalived. I have tested a minimal config without strict oro noaccept set, and it doesn't add iptables entries for me.

https://www.rfc-editor.org/rf...

   Accept_Mode                 Controls whether a virtual router in
                               Master state will accept packets
                               addressed to the address owner's IPvX
                               address as its own if it is not the IPvX
                               address owner.  The default is False.
                               Deployments that rely on, for example,
                               pinging the address owner's IPvX address
                               may wish to configure Accept_Mode to
                               True.

                               Note: IPv6 Neighbor Solicitations and
                               Neighbor Advertisements MUST NOT be
                               dropped when Accept_Mode is False.

Answer 2

在keepalived.conf配置文件中global_defs里去掉vrrp_strict 就可以了