linux - keepalive 启动后自动添加iptables drop掉VIP

Answer 1

# Enforce strict VRRP protocol compliance. This will prohibit:
#   0 VIPs
#   unicast peers
#   IPv6 addresses in VRRP version 2
vrrp_strict

https://github.com/acassen/ke...

iptables entries should only be added if  strict  or  noaccept  is configured against the vrrp instance, or  vrrp_strict  is configured in global_defs. This is to comply with RFC5798 Accept_Mode, except that unless  strict  is specified, the default is to set Accept_Mode (i.e. allow packets to be received by the virtual IP address) whereas the RFC states that the default should be Accept_Mode is false.

You could try specifying  accept  against the vrrp instances, so see if that stops the iptables entries being added.

Could you post a copy of your keepalived config so that we can test it to make sure there isn't a problem with the logic in this area in keepalived. I have tested a minimal config without strict oro noaccept set, and it doesn't add iptables entries for me.

https://www.rfc-editor.org/rf...

   Accept_Mode                 Controls whether a virtual router in
                               Master state will accept packets
                               addressed to the address owner's IPvX
                               address as its own if it is not the IPvX
                               address owner.  The default is False.
                               Deployments that rely on, for example,
                               pinging the address owner's IPvX address
                               may wish to configure Accept_Mode to
                               True.

                               Note: IPv6 Neighbor Solicitations and
                               Neighbor Advertisements MUST NOT be
                               dropped when Accept_Mode is False.