new file mode 100644
@@ -0,0 +1,76 @@
+From edc71b19c619fdc1d71df10a2d0e8f5822965d69 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Tue, 8 Feb 2022 14:58:49 +0000
+Subject: [PATCH] vrrp: nft didn't support meta l4proro until Linux 3.14
+
+For Linux 3.13 (first version to support nftables), we instead specify:
+@nh,48,8 58
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+
+[Retrieved (and updated to drop update of README.kernel_versions) from:
+https://github.com/acassen/keepalived/commit/edc71b19c619fdc1d71df10a2d0e8f5822965d69]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ README.kernel_versions | 1 +
+ configure.ac | 5 +++++
+ keepalived/vrrp/vrrp_nftables.c | 16 ++++++++++++++--
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 350a9f4e9..bc643dbf1 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1754,6 +1754,11 @@ if test .${enable_nftables} != .no; then
+ ],[
+ AC_MSG_RESULT(no)
+ ])
++
++ # nft l4proto from Linux 3.14
++ AC_CHECK_DECLS([NFT_META_L4PROTO], [], [],
++ [#include <linux/netfilter/nf_tables.h>])
++
+ # nft dup from Linux 4.3
+ AC_CHECK_DECLS([NFTA_DUP_MAX], [], [],
+ [#include <linux/netfilter/nf_tables.h>])
+diff --git a/keepalived/vrrp/vrrp_nftables.c b/keepalived/vrrp/vrrp_nftables.c
+index d3ea39db3..8b5095ad4 100644
+--- a/keepalived/vrrp/vrrp_nftables.c
++++ b/keepalived/vrrp/vrrp_nftables.c
+@@ -1191,6 +1191,8 @@ setup_rule_move_igmp(uint8_t family, const char *table,
+ otherwise:
+ nft add rule ip keepalived out ip protocol igmp [meta oifkind macvlan] oif @vmac_set drop
+ nft add rule ip6 keepalived out icmpv6 type mld2-listener-report [meta oifkind macvlan] oif @vmac_set drop
++ *
++ * Note: on 3.13 kernels, icmpv6 is specified as @nh,48,8 58
+ */
+ struct nftnl_rule *r = NULL;
+ uint64_t handle_num;
+@@ -1223,7 +1225,12 @@ setup_rule_move_igmp(uint8_t family, const char *table,
+ offsetof(struct iphdr, daddr), sizeof(struct in_addr));
+ #endif
+ } else {
+- add_meta(r, NFT_META_L4PROTO, NFT_REG_1);
++#if HAVE_DECL_NFT_META_L4PROTO
++ add_meta(r, NFT_META_L4PROTO, NFT_REG_1); /* From Linux 3.14 */
++#else
++ add_payload(r, NFT_PAYLOAD_NETWORK_HEADER, NFT_REG_1,
++ offsetof(struct ip6_hdr, ip6_nxt), sizeof(((struct ip6_hdr *)NULL)->ip6_nxt));
++#endif
+ protocol = IPPROTO_ICMPV6;
+ add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &protocol, sizeof(protocol));
+ add_payload(r, NFT_PAYLOAD_TRANSPORT_HEADER, NFT_REG_1,
+@@ -1279,7 +1286,12 @@ setup_rule_drop_router_solicit(const char *table, const char *chain,
+ nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, handle_num);
+ }
+
+- add_meta(r, NFT_META_L4PROTO, NFT_REG_1);
++#if HAVE_DECL_NFT_META_L4PROTO
++ add_meta(r, NFT_META_L4PROTO, NFT_REG_1); /* From Linux 3.14 */
++#else
++ add_payload(r, NFT_PAYLOAD_NETWORK_HEADER, NFT_REG_1,
++ offsetof(struct ip6_hdr, ip6_nxt), sizeof(((struct ip6_hdr *)NULL)->ip6_nxt));
++#endif
+ protocol = IPPROTO_ICMPV6;
+ add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &protocol, sizeof(protocol));
+ add_payload(r, NFT_PAYLOAD_TRANSPORT_HEADER, NFT_REG_1,
new file mode 100644
@@ -0,0 +1,40 @@
+From 50e8a8d56cd5a3d7184b035708865302bbc7ef69 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Tue, 8 Feb 2022 17:43:49 +0000
+Subject: [PATCH] ipvs: nft didn't support meta l4proro until Linux 3.14
+
+For Linux 3.13 (first version to support nftables), we instead specify:
+ipv4: @nh,72,8 PROTO
+ipv6: @nh,48,8 PROTO
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+
+[Retrieved from:
+https://github.com/acassen/keepalived/commit/50e8a8d56cd5a3d7184b035708865302bbc7ef69]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ keepalived/check/check_nftables.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/keepalived/check/check_nftables.c b/keepalived/check/check_nftables.c
+index 2d163ac14..45831203b 100644
+--- a/keepalived/check/check_nftables.c
++++ b/keepalived/check/check_nftables.c
+@@ -150,7 +150,16 @@ setup_rule_set_mark(uint8_t family, const char *table,
+ nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, handle_num);
+ }
+
+- add_meta(r, NFT_META_L4PROTO, NFT_REG_1);
++#if HAVE_DECL_NFT_META_L4PROTO
++ add_meta(r, NFT_META_L4PROTO, NFT_REG_1); /* From Linux 3.14 */
++#else
++ if (family == NFPROTO_IPV4)
++ add_payload(r, NFT_PAYLOAD_NETWORK_HEADER, NFT_REG_1,
++ offsetof(struct iphdr, protocol), sizeof(((struct iphdr *)NULL)->protocol));
++ else
++ add_payload(r, NFT_PAYLOAD_NETWORK_HEADER, NFT_REG_1,
++ offsetof(struct ip6_hdr, ip6_nxt), sizeof(((struct ip6_hdr *)NULL)->ip6_nxt));
++#endif
+ add_cmp(r, NFT_REG_1, NFT_CMP_EQ, &l4_protocol, sizeof(l4_protocol));
+ if (family == NFPROTO_IPV4)
+ add_payload(r, NFT_PAYLOAD_NETWORK_HEADER, NFT_REG_1,
@@ -11,6 +11,8 @@ KEEPALIVED_LICENSE = GPL-2.0+
KEEPALIVED_LICENSE_FILES = COPYING
KEEPALIVED_CPE_ID_VENDOR = keepalived
KEEPALIVED_CONF_OPTS = --disable-hardening
+# We're patching configure.ac
+KEEPALIVED_AUTORECONF = YES
ifeq ($(BR2_PACKAGE_JSON_C),y)
KEEPALIVED_DEPENDENCIES += json-c
Fix the following build failure with kernel < 3.14 raised since bump to version 2.27 in commit 79f631000fe6846e72f44810452bb764c228ad44: vrrp_nftables.c: In function 'setup_rule_move_igmp': vrrp_nftables.c:1226:15: error: 'NFT_META_L4PROTO' undeclared (first use in this function) add_meta(r, NFT_META_L4PROTO, NFT_REG_1); ^ Fixes: - http://autobuild.buildroot.org/results/2132570fb0407abc0e70146d771471e13ef10237 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- Changes v1 -> v2: - Fix kernel version (4.13 -> 3.14) ...upport-meta-l4proro-until-Linux-3-14.patch | 76 +++++++++++++++++++ ...upport-meta-l4proro-until-Linux-3-14.patch | 40 ++++++++++ package/keepalived/keepalived.mk | 2 + 3 files changed, 118 insertions(+) create mode 100644 package/keepalived/0001-vrrp-nft-didn-t-support-meta-l4proro-until-Linux-3-14.patch create mode 100644 package/keepalived/0002-ipvs-nft-didn-t-support-meta-l4proro-until-Linux-3-14.patch