diff options
| author | Bertrand Jacquin <beber@meleeweb.net> | 2013-11-15 16:11:21 +0100 |
|---|---|---|
| committer | Bertrand Jacquin <beber@meleeweb.net> | 2013-11-15 16:11:21 +0100 |
| commit | bbdc9f342582ebf516de1346a65a013d0c4c1aef (patch) | |
| tree | 57021eab154fa378ad8a4575408f7321bc7915bc | |
| parent | sys-kernel/stable-sources: Version bump (diff) | |
| download | portage-bbdc9f342582ebf516de1346a65a013d0c4c1aef.tar.xz | |
sys-cluster/keepalived: Import upstream patch "vrrp: disable TTL sanity check for unicast use-case"
Package-Manager: portage-2.2.7
5 files changed, 45 insertions, 3 deletions
diff --git a/metadata/md5-cache/sys-cluster/keepalived-1.2.9 b/metadata/md5-cache/sys-cluster/keepalived-1.2.9 index e8461ec7..4206e2b8 100644 --- a/metadata/md5-cache/sys-cluster/keepalived-1.2.9 +++ b/metadata/md5-cache/sys-cluster/keepalived-1.2.9 @@ -10,4 +10,4 @@ RDEPEND=dev-libs/popt sys-apps/iproute2 dev-libs/libnl:1.1 dev-libs/openssl snmp SLOT=0 SRC_URI=http://www.keepalived.org/software/keepalived-1.2.9.tar.gz _eclasses_=autotools 16761a2f972abd686713e5967ff3c754 base ec46b36a6f6fd1d0b505a33e0b74e413 eutils 4878e7f88afc0ba0866ac112190b0fd4 libtool b1c8688e60f9580bcb9bb46e08737eb1 multilib 892e597faee02a5b94eb02ab512e7622 multiprocessing 89580da5ec17ad687fcde876c542b91e toolchain-funcs 51e6c948e72c43bcc8edc7544411c953 user d0a4d0735a6c0183d707ca919bd72f28 -_md5_=f9e0cc1154ca478d1a37d5abc26a024c +_md5_=17df1227dc8508ba0b2259265c9de4c4 diff --git a/sys-cluster/keepalived/ChangeLog b/sys-cluster/keepalived/ChangeLog index ff8301e3..03c85bb1 100644 --- a/sys-cluster/keepalived/ChangeLog +++ b/sys-cluster/keepalived/ChangeLog @@ -1,3 +1,9 @@ + 15 Nov 2013; Bertrand Jacquin <beber@meleeweb.net> +files/keepalived-1.2.9-vrr + p-disable-TTL-sanity-check-for-unicast-use-case.patch, + keepalived-1.2.9.ebuild: + sys-cluster/keepalived: Import upstream patch "vrrp: disable TTL sanity check + for unicast use-case" + *keepalived-1.2.9 (15 Nov 2013) 15 Nov 2013; Bertrand Jacquin <beber@meleeweb.net> diff --git a/sys-cluster/keepalived/Manifest b/sys-cluster/keepalived/Manifest index a3a6475c..8caedd6b 100644 --- a/sys-cluster/keepalived/Manifest +++ b/sys-cluster/keepalived/Manifest @@ -1,8 +1,9 @@ AUX keepalived-1.2.2-libipvs-fix-backup-daemon.patch 1929 SHA256 4a67e2910cf21dbd662b1004f26a0d02c48d3864ecfacbb0c6f3d5865b648341 WHIRLPOOL c4cc9419ea66011ff6a42e655715233fece6e882289810d8ac4f29d2c609902512ba7b8cfdc4a627c2ce008ec4ad0d8d297b618b08feccba2d21fb911fd188da AUX keepalived-1.2.2-libipvs-fix-ipv6.patch 1036 SHA256 1f4b1c3b74537b2cd47052a068ee9a71131e14e851952c28d79ef027631f1347 WHIRLPOOL 75b62c97875d318ab3ced208f8b8e0c66d459164f2928a0907281fa93800b20ff953831c2dc4203bd7cb15f31cb2e14e79b7200052a032d466bbe3f69e591fc7 +AUX keepalived-1.2.9-vrrp-disable-TTL-sanity-check-for-unicast-use-case.patch 1395 SHA256 ae70383af18623b4c975892362eb0eba7b25c4c9d3f9d2282241e715d73f5ddb WHIRLPOOL 912c2cd685cc111f677381085869a5000e75153e7cb881f8dc0ac68e75585b6ad6ec18f4979df96a9d61f5894cc686485e9654d351999dd710554897ccf12869 AUX keepalived.confd 290 SHA256 e24b65e5c4ec5d37802db1d85aa5aac8f2fcef94a58db6b52d72da6286556c07 WHIRLPOOL 5b9747fc5fb25081f681c76acd6b8b5c13268f09398241d533f8ed153d0b5c5d9c8c08d77ef394268a64321352d4b17e2cb4dffe6c29198a8883519382a4ef51 AUX keepalived.init 912 SHA256 44fe841fa059c8d9a02f9f9b6d3dd6d12bcc42f83ed818795913cdcdcf6c3da7 WHIRLPOOL 67db38df631eab9aafcbc6dbf7534d9a8d307d82fa676b80a0bf23dda9fdda7be6fa40b3f7b841600e6e58b789e9e2ab236d7d2d1d71aa7fa968a089d6d1e12c DIST keepalived-1.2.9.tar.gz 330779 SHA256 fb711dacce95b60eee18f2b89938a9fbebc5096022f17850fd2284f207e41d9d WHIRLPOOL 255887a26f9c561f9229961c835edf3e22563def594ce55af6d81105db5512ea31484efbfc0fb77234368f55bbbb4994edecf6b00af8399c3fc10f6903e1b6d2 -EBUILD keepalived-1.2.9.ebuild 1690 SHA256 91330f9f665a996af2b1e4208759d3ee3ec4eef494cb25bec6ab9b9c7a9dd52e WHIRLPOOL 52e2947aaccaa64d81da48266e591fb06e67eeadfb04d3ff3a8bbce20ded40fdf546c33902dc5709fe9c9ac2e215cbe3bda07ede1362e0bca00024d285311973 -MISC ChangeLog 339 SHA256 18c7c2217692a30b4662028ebfa0caf290148073e34c90bf3ee8f2e623bff33b WHIRLPOOL 5bee00e52beb45c0a2d66ce3a08fa0652f699028923c668d2d93f41b225022a3c3bf074362e7c942d5db4fcf77076c1e189744fdfd9bc04a2674d4f40c0a36dc +EBUILD keepalived-1.2.9.ebuild 1768 SHA256 cf57e7537f535c1cdb6b81056a29a8ecb35adc842129fb6d83ab5171407bba02 WHIRLPOOL 5aeb867ad9e120b85de4af35cb4a6c9d7c34190553ecc4c30a18c0f3f8a45aba32e50f1a3acd5001d1608fc24d5a11ea023b4a0de901fd82318adf860b987ed0 +MISC ChangeLog 609 SHA256 ff59afbf5e782cd13d042ac4935e5ed5cda0c6579f2b05a788e42c372227ef06 WHIRLPOOL 454e493f3d8abfc9e95a2f418cc72e6fd21ccc883f2427694b9caeee0909e5065d0f7461f2bee54d1fa9536054516adc7d66e43da70789c6340aa42563f25100 MISC metadata.xml 272 SHA256 7fde2180ebedf6971ce9767ab11e619ca60ade87b6c32b37c8fbf3a5442d56b1 WHIRLPOOL ed96940f240f8e6fc1c4e2bf8d9b2064ade28255ef6238e048b3d80d8f9334b101e19deb5c1f89f83016c042bbc533b7855d02e3e0d19c5e2582d93fe416a80f diff --git a/sys-cluster/keepalived/files/keepalived-1.2.9-vrrp-disable-TTL-sanity-check-for-unicast-use-case.patch b/sys-cluster/keepalived/files/keepalived-1.2.9-vrrp-disable-TTL-sanity-check-for-unicast-use-case.patch new file mode 100644 index 00000000..7c9dd71a --- /dev/null +++ b/sys-cluster/keepalived/files/keepalived-1.2.9-vrrp-disable-TTL-sanity-check-for-unicast-use-case.patch @@ -0,0 +1,34 @@ +From 3d9f6a44b07c049e5b8b03f55a5cefcc5753a679 Mon Sep 17 00:00:00 2001 +From: Alexandre Cassen <acassen@gmail.com> +Date: Fri, 15 Nov 2013 15:51:10 +0100 +Subject: [PATCH] vrrp: disable TTL sanity check for unicast use-case + +In order to protect against any packet injection, VRRP provides +sanity check over IP header TTL. This TTL MUST be equal to 255 and +means both sender and receiver are attached on the same ethernet +segment. Now with unicast extension this protection MUST be disabled +since VRRP adverts will mostly traverse different network segments. + +!!! WARNING !!! When using VRRP in unicast use-case in order to protect +against any packet injection the best practice is to use IPSEC-AH auth +method otherwise you are exposed to potential attackers ! +--- + keepalived/vrrp/vrrp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/keepalived/vrrp/vrrp.c b/keepalived/vrrp/vrrp.c +index ca1827e..19a52d1 100644 +--- a/keepalived/vrrp/vrrp.c ++++ b/keepalived/vrrp/vrrp.c +@@ -247,7 +247,7 @@ vrrp_in_chk(vrrp_t * vrrp, char *buffer) + vips = (unsigned char *) ((char *) hd + sizeof(vrrphdr_t)); + + /* MUST verify that the IP TTL is 255 */ +- if (ip->ttl != VRRP_IP_TTL) { ++ if (LIST_ISEMPTY(vrrp->unicast_peer) && ip->ttl != VRRP_IP_TTL) { + log_message(LOG_INFO, "invalid ttl. %d and expect %d", ip->ttl, + VRRP_IP_TTL); + return VRRP_PACKET_KO; +-- +1.8.4.3 + diff --git a/sys-cluster/keepalived/keepalived-1.2.9.ebuild b/sys-cluster/keepalived/keepalived-1.2.9.ebuild index 76601fb4..a62cc7bd 100644 --- a/sys-cluster/keepalived/keepalived-1.2.9.ebuild +++ b/sys-cluster/keepalived/keepalived-1.2.9.ebuild @@ -26,6 +26,7 @@ DEPEND="${RDEPEND} PATCHES=( "${FILESDIR}"/${PN}-1.2.2-libipvs-fix-backup-daemon.patch "${FILESDIR}"/${PN}-1.2.2-libipvs-fix-ipv6.patch + "${FILESDIR}"/${PV}-vrrp-disable-TTL-sanity-check-for-unicast-use-case.patch ) DOCS=( README CONTRIBUTORS INSTALL VERSION ChangeLog AUTHOR TODO |