Patch for 36810 & 20352
This coves several related problems
1) When the primary is in conflict done it allows the secondary to
transition around resolution interrupted and potentical conflict previously
the primary would die on an illegal state.
2) It allows the servers to restart a bind update request. Previously if
one of the servers sent an udpate request and there died (or had the communications
interrupted) in some states the first server wouldn't retransmit a new
update request and the other server wouldn't send any bind updates. This
was noticed in potential conflict.
3) Updated the state transitions to move the leases on the ack queue
back to the update queue in case of conflict-done as we might need to
retransmit them all.
4) Updated a transition from startup to potentical conflict instead
of resolution interrupted when the servers reconnect during the startup
phase in order to avoid a diffferent dead lock.
Emit a log message when the server had completed initialization
and is about to start dispatching. And emit log messages when
both peers in a failover pair have reached the normal state.
[ISC-Bugs #26108]
Add a compile time option, enable-secs-byteorder, to deal with
clients that do the byte ordering on the secs field incorrectly.
This field should be in network byte order but some clients
get it wrong. When this option is enabled the server will examine
the secs field and if it looks wrong (high byte non zero and low
byte zero) swap the bytes. The default is disabled. This option
is only useful when doing load balancing within failover.
[rt30320]
When processing a failover request with an unexpected name
create an option block the relationship_name instead of using
the one from the incoming message. This avoids problems when
the option is freed.
Also add code to free the relationship_name from the incoming
mesasage when we free the message.
should be cancelled. This patch results in cancelling the
outstanding request less often. It fixes the problem caused
by a client doing a release where the txt and ptr records
weren't removed from the DNS.
[ISC-BUGS #27858]
code to the DDNS handling. This code included a bug that caused it
to attempt to dereference a NULL pointer and eventually segfault.
While reviewing the code as we addressed this problem, we determined
that some of the updates to the lease structures would not work as
planned since the structures being updated were in the process of
being freed: these updates were removed. In addition we removed an
incorrect call to the DDNS removal function that could cause a failure
during the removal of DDNS information from the DNS server.
Thanks to Jasper Jongmans for reporting this issue.
[ISC-Bugs #27078]
CVE: CVE-2011-4868
Previously a connection request from a source that wasn't
listed as a failover peer would cause the server to become
non-responsive. [ISC-Bugs #22679]
CERT: VU#159528 CVE: CVE-2010-3616
which permits a DHCP server operating in communications-interrupted state
to 'rewind' a lease to the state most recently transmitted to its peer,
greatly increasing a server's endurance in communications-interrupted.
This is supported using a new 'rewind state' record on the dhcpd.leases
entry for each lease. [ISC-Bugs #19601]
they had performed ddns updates on a lease that is expiring, or was
released through the primary. As part of the same fix, stale binding scopes
will now be removed if a change in identity of a lease's active client is
detected, rather than simply if a lease is noticed to have expired (which it
may have expired without a failover server noticing in some situations).
[ISC-Bugs #19826b]
environments where DHCP servers can be reasonably guaranteed to be
"down" when the failover TCP socket is severed, "auto-partner-down".
This parameter is not generally safe, and by default is disabled, so
please carefully review the documentation of this parameter in the
dhcpd.conf(5) manpage before determining to use it yourself.
[ISC-Bugs #19600]
in scheduling a failover reconnection, if the link had not negotiated a
failover connect yet (e.g.: connection refused, asynch socket connect()
timeouts). [ISC-Bugs #19684]
leak ~20-30 octets per DHCPDISCOVER packet while failover was in use
and in normal state. [ISC-Bugs #19548]
- Various compilation fixes have been included for the memory related
DEBUG #defines in includes/site.h. [ISC-Bugs #19548]
high frequency messages moved to a deeper debugging symbol.
- The CLTT parameter in failover is now only updated by client activity,
and not by failover binding updates (taking on the peer's CLTT).
- Failover BNDUPD messages are now discarded if they conflict with an
update that has been trasnmitted, but not acknowledged.
[ISC-Bugs #17577c]
version 3.0.x failover server, a warning that the failover wire protocol
is incompatible is printed. [ISC-Bugs #17129]
- The failover server no longer issues a floating point error if it encounters
a previously undefined option code. [ISC-Bugs #17129]
was repaired. [ISC-Bugs #17228]
- A flaw in failover pool rebalancing that could cause POOLREQ messages to
be sent outside of the min-balance/max-balance scheduled intervals has
been repaired. [ISC-Bugs #17228]
mapped to the primary. Virgin leases now have an interleaved preference
between primary and secondary. [ISC-Bugs #17174]
- A bug was repaired where MAC Address Affinity for clients with no client
identifier was sometimes mishashed to the peer. Load balancing during
runtime and pool rebalancing were opposing. [ISC-Bugs #17174]
(moving leases between free and back to backup where there are an
odd number of leases).
[ISC-Bugs #16910]
- The 'pool' log line has been split into two messages, one before the
rebalance run, and one after.
[ISC-Bugs #16910]
- Any queued BNDACKs are transmitted before transmitting new BNDUPDs.
This enforces the correct sequence of events for the remote server
processing these messages.
[ISC-Bugs #16910]
3.1.0a1's tables resulted in a reduction in default server memory use.
The new selected values provide more of a zero sum (increasing the size
of tables likely to be populated, decreasing the size of tables unlikely).
- Lease structures appear in three spearate hashes: by IP address, by UID,
and by hardware address. One type of table was used for all three, and
improvements to IP address hashing were applied to all three (so UID and
hardware addresses were treated like 4-byte integers). There are now two
types of tables, and the uid/hw hashes use functions more appropriate
to their needs.
- The max-lease-misbalance percentage no longer causes scheduled rebalance
runs to be skipped: it still governs the schedule, but every scheduled
run will attempt balance.
[ISC-Bugs #16396]
entering normal state. [ISC-Bugs #16412]
- UPDREQ/UPDREQALL handling was optimized - it no longer dequeues and
requeues all pending updates. This should reduce the number of spurious
'xid mismatch' log mesasges. [ISC-Bugs #16412]
