Keepalived claims that blackhole route doesn't have interface and can't be tracked

[robert-scheck]

Describe the bug

Jun  5 14:46:09 Keepalived_vrrp[3046]: (/etc/keepalived/keepalived.conf: Line 108) Warning - cannot track route 192.0.2.0/24 with no interface specified, not tracking
Jun  5 14:46:09 Keepalived_vrrp[3046]: (/etc/keepalived/keepalived.conf: Line 286) Warning - cannot track route 2001:db8::/32 with no interface specified, not tracking

To Reproduce Well, it's a (general) blackhole route…to which interface shall this (general) blackhole route be assigned? Aside of this, this wouldn't make sense to me. It looks in the configuration like this:

vrrp_instance vrrp_ipv4 {
    # …
    virtual_routes {
        blackhole 192.0.2.0/24
        # …
    }
}

vrrp_instance vrrp_ipv6 {
    # …
    virtual_routes {
        blackhole 2001:db8::/32
        # …
    }
}

Further on, the blackhole example in man keepalived.conf also has no interface:

           virtual_routes {
               # src <IPADDR> [to] <IPADDR>/<MASK> via|gw <IPADDR>
               #   [or <IPADDR>] dev <STRING> scope <SCOPE> table <TABLE>
               src 192.168.100.1 to 192.168.109.0/24 via 192.168.200.254 dev eth1
               192.168.110.0/24 via 192.168.200.254 dev eth1
               192.168.111.0/24 dev eth2 no_track
               192.168.112.0/24 via 192.168.100.254
               192.168.113.0/24 via 192.168.200.254 or 192.168.100.254 dev eth1
               blackhole 192.168.114.0/24
               0.0.0.0/0 gw 192.168.0.1 table 100  # To set a default gateway into table 100.
           }

Expected behavior Either the example in the man page should explain which interface to use with a (general) blackhole route (which still doesn't make sense to me), or the warnings for (general) blackhole routes without interfaces should not be raised due to fixes in the code.

Keepalived version

$  keepalived -v
Keepalived v2.2.8 (04/04,2023), git commit v2.2.7-154-g292b299e+

Copyright(C) 2001-2023 Alexandre Cassen, <acassen@gmail.com>

Built with kernel headers for Linux 5.14.0
Running on Linux 5.14.0-427.20.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 23 16:37:13 EDT 2024
Distro: Red Hat Enterprise Linux 9.4 (Plow)

configure options: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --enable-snmp --enable-snmp-rfc --enable-nftables --disable-iptables --enable-sha1 --enable-json --with-init=systemd build_alias=x86_64-redhat-linux-gnu host_alias=x86_64-redhat-linux-gnu PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig CC=gcc CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 

Config options:  NFTABLES LVS VRRP VRRP_AUTH VRRP_VMAC JSON OLD_CHKSUM_COMPAT SNMP_V3_FOR_V2 SNMP_VRRP SNMP_CHECKER SNMP_RFCV2 SNMP_RFCV3 INIT=systemd SYSTEMD_NOTIFY

System options:  VSYSLOG MEMFD_CREATE IPV6_MULTICAST_ALL IPV4_DEVCONF LIBNL3 RTA_ENCAP RTA_EXPIRES RTA_NEWDST RTA_PREF FRA_SUPPRESS_PREFIXLEN FRA_SUPPRESS_IFGROUP FRA_TUN_ID RTAX_CC_ALGO RTAX_QUICKACK RTEXT_FILTER_SKIP_STATS FRA_L3MDEV FRA_UID_RANGE RTAX_FASTOPEN_NO_COOKIE RTA_VIA FRA_PROTOCOL FRA_IP_PROTO FRA_SPORT_RANGE FRA_DPORT_RANGE RTA_TTL_PROPAGATE IFA_FLAGS LWTUNNEL_ENCAP_MPLS LWTUNNEL_ENCAP_ILA NET_LINUX_IF_H_COLLISION LIBIPTC_LINUX_NET_IF_H_COLLISION LIBIPVS_NETLINK IPVS_DEST_ATTR_ADDR_FAMILY IPVS_SYNCD_ATTRIBUTES IPVS_64BIT_STATS IPVS_TUN_TYPE IPVS_TUN_CSUM IPVS_TUN_GRE VRRP_IPVLAN IFLA_LINK_NETNSID GLOB_BRACE GLOB_ALTDIRFUNC INET6_ADDR_GEN_MODE VRF SO_MARK
$ 

Distro (please complete the following information):

• Name: Red Hat Enterprise Linux
• Version: 9.4
• Architecture: x86_64

Details of any containerisation or hosted service (e.g. AWS) Real classic physical hardware.

Configuration file: (Please let me know if the example in the section "To Reproduce" isn't enough)

Notify and track scripts (The notify scripts are the default primary-backup.sh as provided in the examples/documentation)

System Log entries

Jun  5 14:46:09 Keepalived[2836]: Command line: '/usr/sbin/keepalived' '--dont-fork' '-D'
Jun  5 14:46:09 Keepalived[2836]: Opening file '/etc/keepalived/keepalived.conf'.
Jun  5 14:46:09 Keepalived[2836]: Configuration file /etc/keepalived/keepalived.conf
Jun  5 14:46:09 Keepalived_vrrp[3046]: (/etc/keepalived/keepalived.conf: Line 108) Warning - cannot track route 192.0.2.0/24 with no interface specified, not tracking
Jun  5 14:46:09 Keepalived_vrrp[3046]: (/etc/keepalived/keepalived.conf: Line 286) Warning - cannot track route 2001:db8::/32 with no interface specified, not tracking

Did keepalived coredump? No

Additional context This behaviour did not exist with keepalived 1.3.5 as shipped with Red Hat Enterprise Linux 7 (yes, that was like a decade ago).

[pqarmitage]

No, your assertion is incorrect. keepalived states that because the route doesn't have an interface it cannot track the route. That is inevitably the case with a blackhole route since it cannot have an interface.

[robert-scheck]

So, it is fully intended that in such a case a correct configuration always throws a warning in the logs? That's confusing for administrators from my point of view.

[pqarmitage]

The way to stop the warning is to add no_track to the route specification.

However, I have been thinking some more about this and I cannot see any reason why an interface is needed now in order to track the route. Accordingly commit a205e87 removes the requirement for a virtual route to have an interface specified for it to be tracked, and consequently no longer issues the warning.