PSARC/2009/653 VRRP disabled by default

6902603 vrrp daemon should not report error in a shared-ip zone

12 files changed, 291 insertions, 35 deletions

diff --git a/usr/src/cmd/cmd-inet/usr.lib/vrrpd/vrrp.xml b/usr/src/cmd/cmd-inet/usr.lib/vrrpd/vrrp.xml
index 04caa484ec..5b95f40404 100644
--- a/usr/src/cmd/cmd-inet/usr.lib/vrrpd/vrrp.xml
+++ b/usr/src/cmd/cmd-inet/usr.lib/vrrpd/vrrp.xml
@@ -20,7 +20,7 @@
 
  CDDL HEADER END
 
-	Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+	Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 	Use is subject to license terms.
 
 	NOTE:  This service manifest is not editable; its contents will
@@ -36,7 +36,7 @@
 	type='service'
 	version='1'>
 
-	<create_default_instance enabled='true' />
+	<create_default_instance enabled='false' />
 
 	<single_instance/>
 
@@ -84,6 +84,14 @@
 	    exec=':kill'
 	    timeout_seconds='60' />
 
+	<!-- to start/stop the VRRP service -->
+	<property_group name='general' type='framework'>
+		<propval name='action_authorization' type='astring' 
+			value='solaris.smf.manage.vrrp' />
+		<propval name='value_authorization' type='astring' 
+			value='solaris.smf.manage.vrrp' />
+	</property_group>
+
 	<property_group name='startd' type='framework'>
 		<!-- sub-process core dumps shouldn't restart session -->
 		<propval name='ignore_error' type='astring'
diff --git a/usr/src/cmd/cmd-inet/usr.lib/vrrpd/vrrpd.c b/usr/src/cmd/cmd-inet/usr.lib/vrrpd/vrrpd.c
index f78647788a..f081287d0a 100644
--- a/usr/src/cmd/cmd-inet/usr.lib/vrrpd/vrrpd.c
+++ b/usr/src/cmd/cmd-inet/usr.lib/vrrpd/vrrpd.c
@@ -20,7 +20,7 @@
  */
 
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -119,6 +119,7 @@ static vrrp_addr_t	vrrp_muladdr4;
 static vrrp_addr_t	vrrp_muladdr6;
 
 static int		vrrpd_scan_interval = 20000;	/* ms */
+static int		pfds[2];
 
 /*
  * macros to calculate skew_time and master_down_timer
@@ -520,6 +521,33 @@ rtm_event2str(uchar_t event)
 	}
 }
 
+/*
+ * This is called by the child process to inform the parent process to
+ * exit with the given return value. Note that the child process
+ * (the daemon process) informs the parent process to exit when anything
+ * goes wrong or when all the intialization is done.
+ */
+static int
+vrrpd_inform_parent_exit(int rv)
+{
+	int err = 0;
+
+	/*
+	 * If vrrp_debug_level is none-zero, vrrpd is not running as
+	 * a daemon. Return directly.
+	 */
+	if (vrrp_debug_level != 0)
+		return (0);
+
+	if (write(pfds[1], &rv, sizeof (int)) != sizeof (int)) {
+		err = errno;
+		(void) close(pfds[1]);
+		return (err);
+	}
+	(void) close(pfds[1]);
+	return (0);
+}
+
 int
 main(int argc, char *argv[])
 {
@@ -594,12 +622,12 @@ main(int argc, char *argv[])
 	rl.rlim_max = RLIM_INFINITY;
 	if (setrlimit(RLIMIT_NOFILE, &rl) == -1) {
 		vrrp_log(VRRP_ERR, "main(): setrlimit() failed");
-		return (EXIT_FAILURE);
+		goto child_out;
 	}
 
 	if (vrrpd_init() != VRRP_SUCCESS) {
 		vrrp_log(VRRP_ERR, "main(): vrrpd_init() failed");
-		return (EXIT_FAILURE);
+		goto child_out;
 	}
 
 	/*
@@ -615,6 +643,16 @@ main(int argc, char *argv[])
 	vrrpd_initconf();
 
 	/*
+	 * Inform the parent process that it can successfully exit.
+	 */
+	if ((err = vrrpd_inform_parent_exit(EXIT_SUCCESS)) != 0) {
+		vrrpd_cleanup();
+		vrrp_log(VRRP_WARNING, "vrrpd_inform_parent_exit() failed: %s",
+		    strerror(err));
+		return (EXIT_FAILURE);
+	}
+
+	/*
 	 * Start the loop to handle the timer and the IO events.
 	 */
 	switch (iu_handle_events(vrrpd_eh, vrrpd_timerq)) {
@@ -628,32 +666,65 @@ main(int argc, char *argv[])
 
 	vrrpd_cleanup();
 	return (EXIT_SUCCESS);
+
+child_out:
+	(void) vrrpd_inform_parent_exit(EXIT_FAILURE);
+	return (EXIT_FAILURE);
 }
 
 static int
 daemon_init()
 {
 	pid_t	pid;
+	int	rv;
 
 	vrrp_log(VRRP_DBG0, "daemon_init()");
 
 	if (getenv("SMF_FMRI") == NULL) {
-		vrrp_log(VRRP_ERR, "main(): vrrpd is an smf(5) managed service "
-		    "and should not be run from the command line.");
+		vrrp_log(VRRP_ERR, "daemon_init(): vrrpd is an smf(5) managed "
+		    "service and should not be run from the command line.");
 		return (-1);
 	}
 
-	if ((pid = fork()) < 0)
+	/*
+	 * Create the pipe used for the child process to inform the parent
+	 * process to exit after all initialization is done.
+	 */
+	if (pipe(pfds) < 0) {
+		vrrp_log(VRRP_ERR, "daemon_init(): pipe() failed: %s",
+		    strerror(errno));
 		return (-1);
+	}
 
-	if (pid != 0) {
-		/* in parent process: do nothing. */
-		exit(0);
+	if ((pid = fork()) < 0) {
+		vrrp_log(VRRP_ERR, "daemon_init(): fork() failed: %s",
+		    strerror(errno));
+		(void) close(pfds[0]);
+		(void) close(pfds[1]);
+		return (-1);
+	}
+
+	if (pid != 0) { /* Parent */
+		(void) close(pfds[1]);
+
+		/*
+		 * Read the child process's return value from the pfds.
+		 * If the child process exits unexpectedly, read() returns -1.
+		 */
+		if (read(pfds[0], &rv, sizeof (int)) != sizeof (int)) {
+			vrrp_log(VRRP_ERR, "daemon_init(): child process "
+			    "exited unexpectedly %s", strerror(errno));
+			(void) kill(pid, SIGTERM);
+			rv = EXIT_FAILURE;
+		}
+		(void) close(pfds[0]);
+		exit(rv);
 	}
 
 	/*
 	 * in child process, became a daemon, and return to main() to continue.
 	 */
+	(void) close(pfds[0]);
 	(void) chdir("/");
 	(void) setsid();
 	(void) close(0);
@@ -4436,6 +4507,7 @@ vrrp_log(int level, char *message, ...)
 			 * VRRP_ERR goes to stderr, others go to stdout
 			 */
 			FILE *out = (level <= VRRP_ERR) ? stderr : stdout;
+			(void) fprintf(out, "vrrpd: ");
 			/* LINTED: E_SEC_PRINTF_VAR_FMT */
 			(void) vfprintf(out, message, ap);
 			(void) fprintf(out, "\n");
diff --git a/usr/src/lib/Makefile b/usr/src/lib/Makefile
index cdb80ff97a..033931fb88 100644
--- a/usr/src/lib/Makefile
+++ b/usr/src/lib/Makefile
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 
@@ -644,7 +644,7 @@ libexacct/demo:	libexacct libproject libsocket libnsl
 libtsalarm:	libpcp
 smbsrv:		libsocket libnsl libmd libxnet libpthread librt \
 		libshare libidmap pkcs11 libsqlite
-libvrrpadm:	libsocket libdladm
+libvrrpadm:	libsocket libdladm libscf
 libvscan:	libscf
 scsi:		libnvpair
 mpapi:		libpthread libdevinfo libsysevent libnvpair
diff --git a/usr/src/lib/libsecdb/auth_attr.txt b/usr/src/lib/libsecdb/auth_attr.txt
index 70ae120dab..0b2d1b5ff4 100644
--- a/usr/src/lib/libsecdb/auth_attr.txt
+++ b/usr/src/lib/libsecdb/auth_attr.txt
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # /etc/security/auth_attr
@@ -157,6 +157,7 @@ solaris.smf.manage.stmf:::Manage STMF Service States::help=SmfSTMFStates.html
 solaris.smf.manage.system-log:::Manage Syslog Service States::help=SmfSyslogStates.html
 solaris.smf.manage.tnctl:::Manage Refresh of Trusted Network Parameters::help=TNctl.html
 solaris.smf.manage.tnd:::Manage Trusted Network Daemon::help=TNDaemon.html
+solaris.smf.manage.vrrp:::Manage VRRP Service States::help=SmfVRRPStates.html
 solaris.smf.manage.vscan:::Manage VSCAN Service States::help=SmfVscanStates.html
 solaris.smf.manage.vt:::Manage Virtual Console Service States::help=SmfVtStates.html
 solaris.smf.manage.wpa:::Manage WPA Service States::help=SmfWpaStates.html
diff --git a/usr/src/lib/libsecdb/help/auths/Makefile b/usr/src/lib/libsecdb/help/auths/Makefile
index d8d45feb77..200740501d 100644
--- a/usr/src/lib/libsecdb/help/auths/Makefile
+++ b/usr/src/lib/libsecdb/help/auths/Makefile
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # lib/libsecdb/help/auths/Makefile
@@ -119,6 +119,7 @@ HTMLENTS = \
 	SmfValueVscan.html \
 	SmfVscanStates.html \
 	SmfValueVt.html	\
+	SmfVRRPStates.html \
 	SmfWpaStates.html \
 	NetworkAutoconf.html \
 	NetworkILBconf.html \
diff --git a/usr/src/lib/libsecdb/help/auths/SmfVRRPStates.html b/usr/src/lib/libsecdb/help/auths/SmfVRRPStates.html
new file mode 100644
index 0000000000..5b2356eccc
--- /dev/null
+++ b/usr/src/lib/libsecdb/help/auths/SmfVRRPStates.html
@@ -0,0 +1,37 @@
+<HTML>
+<!--
+    CDDL HEADER START
+
+    The contents of this file are subject to the terms of the
+    Common Development and Distribution License (the "License").
+    You may not use this file except in compliance with the License.
+
+    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+    or http://www.opensolaris.org/os/licensing.
+    See the License for the specific language governing permissions
+    and limitations under the License.
+
+    When distributing Covered Code, include this CDDL HEADER in each
+    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+    If applicable, add the following below this CDDL HEADER, with the
+    fields enclosed by brackets "[]" replaced with your own identifying
+    information: Portions Copyright [yyyy] [name of copyright owner]
+
+    CDDL HEADER END
+
+Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
+Use is subject to license terms.
+-->
+<!--
+   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
+-->
+<BODY>
+When Manage VRRP Service States is in the Authorizations Include
+column, it grants the authorization to enable, disable, or restart
+the VRRP service.
+<p>
+If Manage VRRP Service States is grayed, then you are not entitled
+to Add or Remove this authorization.
+<BR>&nbsp;
+</BODY>
+</HTML>
diff --git a/usr/src/lib/libsecdb/prof_attr.txt b/usr/src/lib/libsecdb/prof_attr.txt
index 2aa812eb25..970f8d5cd4 100644
--- a/usr/src/lib/libsecdb/prof_attr.txt
+++ b/usr/src/lib/libsecdb/prof_attr.txt
@@ -20,7 +20,7 @@
 #
 
 #
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 
@@ -63,7 +63,7 @@ MMS User:::MMS Tape User:auths=solaris.mms.io.*;help=RtMMSUser.html
 NDMP Management:::Manage the NDMP service:auths=solaris.smf.manage.ndmp,solaris.smf.value.ndmp,solaris.smf.read.ndmp;help=RtNdmpMngmnt.html
 Network Autoconf:::Manage network auto-magic configuration via nwamd:auths=solaris.network.autoconf;help=RtNetAutoconf.html
 Network ILB:::Manage ILB configuration via ilbadm:auths=solaris.network.ilb.config,solaris.network.ilb.enable;help=RtNetILB.html
-Network VRRP:::Manage VRRP instances:auths=solaris.network.vrrp;help=RtNetVRRP.html
+Network VRRP:::Manage VRRP instances:auths=solaris.network.vrrp,solaris.smf.manage.vrrp;help=RtNetVRRP.html
 Network Management:::Manage the host and network configuration:auths=solaris.smf.manage.name-service-cache,solaris.smf.manage.bind,solaris.smf.value.routing,solaris.smf.manage.routing,solaris.smf.value.nwam,solaris.smf.manage.nwam,solaris.smf.manage.tnd,solaris.smf.manage.tnctl,solaris.smf.manage.wpa,solaris.smf.value.mdns,solaris.smf.manage.mdns,solaris.smf.manage.ilb;profiles=Network Wifi Management,Inetd Management,Network Autoconf,Network VRRP,Network Observability;help=RtNetMngmnt.html
 Network Observability:::Allow access to observability devices:privs=net_observability;help=RtNetObservability.html
 Network Security:::Manage network and host security:auths=solaris.smf.manage.ssh,solaris.smf.value.tnd;profiles=Network Wifi Security,Network Link Security,Network IPsec Management;help=RtNetSecure.html
diff --git a/usr/src/lib/libvrrpadm/Makefile.com b/usr/src/lib/libvrrpadm/Makefile.com
index db7f53a510..004227bca4 100644
--- a/usr/src/lib/libvrrpadm/Makefile.com
+++ b/usr/src/lib/libvrrpadm/Makefile.com
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 
@@ -33,7 +33,7 @@ include ../../Makefile.lib
 #include ../../Makefile.rootfs
 
 LIBS =		$(DYNLIB) $(LINTLIB)
-LDLIBS +=	-lc -lsocket -ldladm
+LDLIBS +=	-lc -lsocket -ldladm -lscf
 
 SRCDIR =	../common
 $(LINTLIB) :=	SRCS = $(SRCDIR)/$(LINTSRC)
diff --git a/usr/src/lib/libvrrpadm/common/libvrrpadm.c b/usr/src/lib/libvrrpadm/common/libvrrpadm.c
index b2ca3f49c7..2e9cb06aaf 100644
--- a/usr/src/lib/libvrrpadm/common/libvrrpadm.c
+++ b/usr/src/lib/libvrrpadm/common/libvrrpadm.c
@@ -20,7 +20,7 @@
  */
 
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -46,10 +46,78 @@
 #include <libdlvlan.h>
 #include <libdllink.h>
 #include <libintl.h>
+#include <libscf.h>
 #include <libvrrpadm.h>
 
+#define	VRRP_SERVICE	"network/vrrp:default"
+
 typedef vrrp_err_t vrrp_cmd_func_t(int, void *);
 
+static boolean_t
+vrrp_svc_isonline(char *svc_name)
+{
+	char		*s;
+	boolean_t	isonline = B_FALSE;
+
+	if ((s = smf_get_state(svc_name)) != NULL) {
+		if (strcmp(s, SCF_STATE_STRING_ONLINE) == 0)
+			isonline = B_TRUE;
+		free(s);
+	}
+
+	return (isonline);
+}
+
+#define	MAX_WAIT_TIME	15
+
+static vrrp_err_t
+vrrp_enable_service()
+{
+	int	i;
+
+	if (vrrp_svc_isonline(VRRP_SERVICE))
+		return (VRRP_SUCCESS);
+
+	if (smf_enable_instance(VRRP_SERVICE, 0) == -1) {
+		if (scf_error() == SCF_ERROR_PERMISSION_DENIED)
+			return (VRRP_EPERM);
+		else
+			return (VRRP_ENOSVC);
+	}
+
+	/*
+	 * Wait up to MAX_WAIT_TIME seconds for the VRRP service being brought
+	 * up online
+	 */
+	for (i = 0; i < MAX_WAIT_TIME; i++) {
+		if (vrrp_svc_isonline(VRRP_SERVICE))
+			break;
+		(void) sleep(1);
+	}
+	if (i == MAX_WAIT_TIME)
+		return (VRRP_ENOSVC);
+
+	return (VRRP_SUCCESS);
+}
+
+/*
+ * Disable the VRRP service if there is no VRRP router left.
+ */
+static void
+vrrp_disable_service_when_no_router()
+{
+	uint32_t	cnt = 0;
+
+	/*
+	 * Get the number of the existing routers. If there is no routers
+	 * left, disable the service.
+	 */
+	if (vrrp_list(NULL, VRRP_VRID_NONE, NULL, AF_UNSPEC, &cnt,
+	    NULL) == VRRP_SUCCESS && cnt == 0) {
+		(void) smf_disable_instance(VRRP_SERVICE, 0);
+	}
+}
+
 static vrrp_err_t
 vrrp_cmd_request(void *cmd, size_t csize, vrrp_cmd_func_t func, void *arg)
 {
@@ -60,7 +128,7 @@ vrrp_cmd_request(void *cmd, size_t csize, vrrp_cmd_func_t func, void *arg)
 	vrrp_err_t		err;
 
 	if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
-		return (VRRP_ECMD);
+		return (VRRP_ESYS);
 
 	/*
 	 * Set it to be non-blocking.
@@ -77,7 +145,7 @@ vrrp_cmd_request(void *cmd, size_t csize, vrrp_cmd_func_t func, void *arg)
 	 */
 	if (connect(sock, (const struct sockaddr *)&to, sizeof (to)) < 0) {
 		(void) close(sock);
-		return (VRRP_ECMD);
+		return (VRRP_ENOSVC);
 	}
 
 	/*
@@ -92,7 +160,7 @@ vrrp_cmd_request(void *cmd, size_t csize, vrrp_cmd_func_t func, void *arg)
 			continue;
 		}
 		(void) close(sock);
-		return (VRRP_ECMD);
+		return (VRRP_ENOSVC);
 	}
 
 	/*
@@ -110,7 +178,7 @@ vrrp_cmd_request(void *cmd, size_t csize, vrrp_cmd_func_t func, void *arg)
 			continue;
 		}
 		(void) close(sock);
-		return (VRRP_ECMD);
+		return (VRRP_ESYS);
 	}
 
 	if ((err = ret.vr_err) != VRRP_SUCCESS)
@@ -163,9 +231,6 @@ vrrp_err2str(vrrp_err_t err)
 		return (dgettext(TEXT_DOMAIN, "router name already exists"));
 	case VRRP_ENOTFOUND:
 		return (dgettext(TEXT_DOMAIN, "VRRP router not found"));
-	case VRRP_ECMD:
-		return (dgettext(TEXT_DOMAIN, "failed to communicate to "
-		    "vrrpd"));
 	case VRRP_EINVALADDR:
 		return (dgettext(TEXT_DOMAIN, "invalid IP address"));
 	case VRRP_EINVALAF:
@@ -185,6 +250,9 @@ vrrp_err2str(vrrp_err_t err)
 		    "created"));
 	case VRRP_ENOLINK:
 		return (dgettext(TEXT_DOMAIN, "the data-link does not exist"));
+	case VRRP_ENOSVC:
+		return (dgettext(TEXT_DOMAIN, "the VRRP service cannot "
+		    "be enabled"));
 	case VRRP_EINVAL:
 	default:
 		return (dgettext(TEXT_DOMAIN, "invalid argument"));
@@ -257,10 +325,31 @@ vrrp_create(vrrp_handle_t vh, vrrp_vr_conf_t *conf)
 	vrrp_cmd_create_t	cmd;
 	vrrp_err_t		err;
 
+again:
+	/*
+	 * Enable the VRRP service if it is not already enabled.
+	 */
+	if ((err = vrrp_enable_service()) != VRRP_SUCCESS)
+		return (err);
+
 	cmd.vcc_cmd = VRRP_CMD_CREATE;
 	(void) memcpy(&cmd.vcc_conf, conf, sizeof (vrrp_vr_conf_t));
 
 	err = vrrp_cmd_request(&cmd, sizeof (cmd), NULL, NULL);
+	if (err == VRRP_ENOSVC) {
+		/*
+		 * This may be due to another process is deleting the last
+		 * router and disabled the VRRP service, try again.
+		 */
+		goto again;
+	} else if (err != VRRP_SUCCESS) {
+		/*
+		 * If router cannot be created, check if the VRRP service
+		 * should be disabled, and disable if needed.
+		 */
+		vrrp_disable_service_when_no_router();
+	}
+
 	return (err);
 }
 
@@ -271,11 +360,20 @@ vrrp_delete(vrrp_handle_t vh, const char *vn)
 	vrrp_cmd_delete_t	cmd;
 	vrrp_err_t		err;
 
+	/*
+	 * If the VRRP service is not enabled, we assume there is no router
+	 * configured.
+	 */
+	if (!vrrp_svc_isonline(VRRP_SERVICE))
+		return (VRRP_ENOTFOUND);
+
 	cmd.vcd_cmd = VRRP_CMD_DELETE;
 	if (strlcpy(cmd.vcd_name, vn, VRRP_NAME_MAX) >= VRRP_NAME_MAX)
 		return (VRRP_EINVAL);
 
 	err = vrrp_cmd_request(&cmd, sizeof (cmd), NULL, NULL);
+	if (err == VRRP_SUCCESS)
+		vrrp_disable_service_when_no_router();
 	return (err);
 }
 
@@ -286,6 +384,13 @@ vrrp_enable(vrrp_handle_t vh, const char *vn)
 	vrrp_cmd_enable_t	cmd;
 	vrrp_err_t		err;
 
+	/*
+	 * If the VRRP service is not enabled, we assume there is no router
+	 * configured.
+	 */
+	if (!vrrp_svc_isonline(VRRP_SERVICE))
+		return (VRRP_ENOTFOUND);
+
 	cmd.vcs_cmd = VRRP_CMD_ENABLE;
 	if (strlcpy(cmd.vcs_name, vn, VRRP_NAME_MAX) >= VRRP_NAME_MAX)
 		return (VRRP_EINVAL);
@@ -301,6 +406,13 @@ vrrp_disable(vrrp_handle_t vh, const char *vn)
 	vrrp_cmd_disable_t	cmd;
 	vrrp_err_t		err;
 
+	/*
+	 * If the VRRP service is not enabled, we assume there is no router
+	 * configured.
+	 */
+	if (!vrrp_svc_isonline(VRRP_SERVICE))
+		return (VRRP_ENOTFOUND);
+
 	cmd.vcx_cmd = VRRP_CMD_DISABLE;
 	if (strlcpy(cmd.vcx_name, vn, VRRP_NAME_MAX) >= VRRP_NAME_MAX)
 		return (VRRP_EINVAL);
@@ -316,6 +428,13 @@ vrrp_modify(vrrp_handle_t vh, vrrp_vr_conf_t *conf, uint32_t mask)
 	vrrp_cmd_modify_t	cmd;
 	vrrp_err_t		err;
 
+	/*
+	 * If the VRRP service is not enabled, we assume there is no router
+	 * configured.
+	 */
+	if (!vrrp_svc_isonline(VRRP_SERVICE))
+		return (VRRP_ENOTFOUND);
+
 	cmd.vcm_cmd = VRRP_CMD_MODIFY;
 	cmd.vcm_mask = mask;
 	(void) memcpy(&cmd.vcm_conf, conf, sizeof (vrrp_vr_conf_t));
@@ -352,7 +471,7 @@ vrrp_list_func(int sock, void *arg)
 			cur_size += len;
 			continue;
 		}
-		return (VRRP_ECMD);
+		return (VRRP_ESYS);
 	}
 
 	*(list_arg->vfl_cnt) = out_cnt = ret.vrl_cnt;
@@ -369,7 +488,7 @@ vrrp_list_func(int sock, void *arg)
 			cur_size += len;
 			continue;
 		}
-		return (VRRP_ECMD);
+		return (VRRP_ESYS);
 	}
 	return (VRRP_SUCCESS);
 }
@@ -405,6 +524,15 @@ vrrp_list(vrrp_handle_t vh, vrid_t vrid, const char *intf, int af,
 		return (VRRP_EINVAL);
 	}
 
+	/*
+	 * If the service is not online, we assume there is no router
+	 * configured.
+	 */
+	if (!vrrp_svc_isonline(VRRP_SERVICE)) {
+		*cnt = 0;
+		return (VRRP_SUCCESS);
+	}
+
 	cmd.vcl_cmd = VRRP_CMD_LIST;
 	cmd.vcl_vrid = vrid;
 	cmd.vcl_af = af;
@@ -436,7 +564,7 @@ vrrp_query_func(int sock, void *arg)
 			cur_size += len;
 			continue;
 		}
-		return (VRRP_ECMD);
+		return (VRRP_ESYS);
 	}
 
 	out_cnt = qinfo->show_va.va_vipcnt;
@@ -458,7 +586,7 @@ vrrp_query_func(int sock, void *arg)
 			cur_size += len;
 			continue;
 		}
-		return (VRRP_ECMD);
+		return (VRRP_ESYS);
 	}
 	return (VRRP_SUCCESS);
 }
@@ -479,6 +607,13 @@ vrrp_query(vrrp_handle_t vh, const char *vn, vrrp_queryinfo_t **vqp)
 	if (strlcpy(cmd.vcq_name, vn, VRRP_NAME_MAX) >= VRRP_NAME_MAX)
 		return (VRRP_EINVAL);
 
+	/*
+	 * If the service is not online, we assume there is no router
+	 * configured.
+	 */
+	if (!vrrp_svc_isonline(VRRP_SERVICE))
+		return (VRRP_ENOTFOUND);
+
 	cmd.vcq_cmd = VRRP_CMD_QUERY;
 
 	/*
diff --git a/usr/src/lib/libvrrpadm/common/libvrrpadm.h b/usr/src/lib/libvrrpadm/common/libvrrpadm.h
index 9137de645d..703c256d10 100644
--- a/usr/src/lib/libvrrpadm/common/libvrrpadm.h
+++ b/usr/src/lib/libvrrpadm/common/libvrrpadm.h
@@ -20,7 +20,7 @@
  */
 
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -171,7 +171,7 @@ typedef enum {
 	VRRP_EDLADM,		/* dladm failure */
 	VRRP_EIPADM,		/* ipadm failure */
 	VRRP_ESYS,		/* system error */
-	VRRP_ECMD		/* command request error */
+	VRRP_ENOSVC		/* VRRP service not enabled */
 } vrrp_err_t;
 
 /*
diff --git a/usr/src/pkgdefs/SUNW0on/prototype_com b/usr/src/pkgdefs/SUNW0on/prototype_com
index 9cfadf60ec..14e5556ebe 100644
--- a/usr/src/pkgdefs/SUNW0on/prototype_com
+++ b/usr/src/pkgdefs/SUNW0on/prototype_com
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # This required package information file contains a list of package contents.
@@ -296,6 +296,7 @@ f none usr/lib/help/auths/locale/NetworkHeader.html 444 root bin
 f none usr/lib/help/auths/locale/NetworkILBconf.html 444 root bin
 f none usr/lib/help/auths/locale/NetworkILBenable.html 444 root bin
 f none usr/lib/help/auths/locale/NetworkVRRP.html 444 root bin
+f none usr/lib/help/auths/locale/SmfVRRPStates.html 444 root bin
 f none usr/lib/help/auths/locale/WifiConfig.html 444 root bin
 f none usr/lib/help/auths/locale/WifiWep.html 444 root bin
 f none usr/lib/help/auths/locale/LinkSecurity.html 444 root bin
diff --git a/usr/src/pkgdefs/SUNWcsu/prototype_com b/usr/src/pkgdefs/SUNWcsu/prototype_com
index a5713dfcd2..45660e57a1 100644
--- a/usr/src/pkgdefs/SUNWcsu/prototype_com
+++ b/usr/src/pkgdefs/SUNWcsu/prototype_com
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # This required package information file contains a list of package contents.
@@ -523,6 +523,7 @@ f none usr/lib/help/auths/locale/C/SmfSMBFSStates.html 444 root bin
 f none usr/lib/help/auths/locale/C/SmfSMBStates.html 444 root bin
 f none usr/lib/help/auths/locale/C/SmfSshStates.html 444 root bin
 f none usr/lib/help/auths/locale/C/SmfSyslogStates.html 444 root bin
+f none usr/lib/help/auths/locale/C/SmfVRRPStates.html 444 root bin
 f none usr/lib/help/auths/locale/C/SmfValueCoreadm.html 444 root bin
 f none usr/lib/help/auths/locale/C/SmfValueExAcctFlow.html 444 root bin
 f none usr/lib/help/auths/locale/C/SmfValueExAcctProcess.html 444 root bin