diff --git a/backport-IPaddr2-add-link-status-DOWN-LOWERLAYERDOWN-check.patch b/backport-IPaddr2-add-link-status-DOWN-LOWERLAYERDOWN-check.patch
new file mode 100644
index 0000000000000000000000000000000000000000..198bf269093ca4d569d7254df6c382e4639464be
--- /dev/null
+++ b/backport-IPaddr2-add-link-status-DOWN-LOWERLAYERDOWN-check.patch
@@ -0,0 +1,121 @@
+From 4a228f3d8212368124134c01f958ac43e32cec08 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 7 Apr 2025 09:19:37 +0200
+Subject: [PATCH] IPaddr2: add link status DOWN/LOWERLAYERDOWN check
+
+---
+ heartbeat/IPaddr2 | 42 +++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 41 insertions(+), 1 deletion(-)
+
+diff --git a/heartbeat/IPaddr2 b/heartbeat/IPaddr2
+index cf03e442..230ac853 100755
+--- a/heartbeat/IPaddr2
++++ b/heartbeat/IPaddr2
+@@ -92,6 +92,19 @@ OCF_RESKEY_nodad_default=false
+ OCF_RESKEY_noprefixroute_default="false"
+ OCF_RESKEY_preferred_lft_default="forever"
+ OCF_RESKEY_network_namespace_default=""
++OCF_RESKEY_check_link_status_default="true"
++
++# RHEL specific defaults
++if is_redhat_based; then
++	get_os_ver
++	ocf_version_cmp "$VER" "10.1" 2>/dev/null
++
++	case "$?" in
++		# RHEL < 10.1
++		0)
++			OCF_RESKEY_check_link_status_default="false";;
++	esac
++fi
+ 
+ : ${OCF_RESKEY_ip=${OCF_RESKEY_ip_default}}
+ : ${OCF_RESKEY_cidr_netmask=${OCF_RESKEY_cidr_netmask_default}}
+@@ -116,6 +129,7 @@ OCF_RESKEY_network_namespace_default=""
+ : ${OCF_RESKEY_noprefixroute=${OCF_RESKEY_noprefixroute_default}}
+ : ${OCF_RESKEY_preferred_lft=${OCF_RESKEY_preferred_lft_default}}
+ : ${OCF_RESKEY_network_namespace=${OCF_RESKEY_network_namespace_default}}
++: ${OCF_RESKEY_check_link_status=${OCF_RESKEY_check_link_status_default}}
+ 
+ #######################################################################
+ 
+@@ -449,6 +463,14 @@ the namespace.
+ <shortdesc lang="en">Network namespace to use</shortdesc>
+ <content type="string" default="${OCF_RESKEY_network_namespace_default}"/>
+ </parameter>
++
++<parameter name="check_link_status">
++<longdesc lang="en">
++Consider the resource failed if the interface has status DOWN or LOWERLAYERDOWN.
++</longdesc>
++<shortdesc lang="en">Consider the resource failed if the interface has status DOWN or LOWERLAYERDOWN</shortdesc>
++<content type="string" default="${OCF_RESKEY_check_link_status_default}"/>
++</parameter>
+ </parameters>
+ 
+ <actions>
+@@ -581,6 +603,9 @@ ip_init() {
+ 		elif [ "$__OCF_ACTION" = stop ]; then
+ 			ocf_log warn "[$FINDIF] failed"
+ 			exit $OCF_SUCCESS
++		elif [ "$__OCF_ACTION" = start ]; then
++			ocf_exit_reason "[$FINDIF] failed"
++			exit $OCF_ERR_INSTALLED
+ 		else
+ 			ocf_exit_reason "[$FINDIF] failed"
+ 			exit $rc
+@@ -1002,6 +1027,12 @@ ip_served() {
+ 		return 0
+ 	fi
+ 
++	if ocf_is_true "$OCF_RESKEY_check_link_status" && $IP2UTIL -f $FAMILY addr show $cur_nic | \
++	    grep -q "[[:space:]]\(DOWN\|LOWERLAYERDOWN\)[[:space:]]"; then
++		echo "down"
++		return 0
++	fi
++
+ 	if [ -z "$IP_CIP" ]; then
+ 		for i in $cur_nic; do
+ 			# check address label
+@@ -1073,6 +1104,11 @@ ip_start() {
+ 		exit $OCF_SUCCESS
+ 	fi
+ 
++	if [ "$ip_status" = "down" ]; then
++		ocf_exit_reason "IP $OCF_RESKEY_ip available, but device has status $ip_status"
++		exit $OCF_ERR_INSTALLED
++	fi
++
+ 	if [ "$ip_status" = "partial3" ]; then
+ 		ocf_exit_reason "IP $OCF_RESKEY_ip available, but label missing"
+ 		exit $OCF_ERR_GENERIC
+@@ -1096,7 +1132,7 @@ ip_start() {
+ 		echo "+$IP_INC_NO" >$IP_CIP_FILE
+ 	fi
+ 
+-	if [ "$ip_status" = "no" ]; then
++	if [ "$ip_status" != "ok" ]; then
+ 		if ocf_is_true ${OCF_RESKEY_lvs_support}; then
+ 			for i in `find_interface $OCF_RESKEY_ip 32`; do
+ 				case $i in
+@@ -1213,6 +1249,7 @@ ip_monitor() {
+ 	# interface health maybe via a daemon like FailSafe etc...
+ 
+ 	local ip_status=`ip_served`
++	ocf_log debug "monitor:  $ip_status"
+ 	case $ip_status in
+ 	ok)
+ 		run_arp_sender refresh
+@@ -1221,6 +1258,9 @@ ip_monitor() {
+ 	no)
+ 		exit $OCF_NOT_RUNNING
+ 		;;
++	down)
++		exit $OCF_ERR_INSTALLED
++		;;
+ 	*)
+ 		# Errors on this interface?
+ 		return $OCF_ERR_GENERIC
+-- 
+2.25.1
+
diff --git a/backport-findif.sh-fix-to-avoid-duplicate-route-issues.patch b/backport-findif.sh-fix-to-avoid-duplicate-route-issues.patch
new file mode 100644
index 0000000000000000000000000000000000000000..be6637b13e7e5c527f17b957ff47f06c9e9e5b2f
--- /dev/null
+++ b/backport-findif.sh-fix-to-avoid-duplicate-route-issues.patch
@@ -0,0 +1,40 @@
+From d0d2a0ff92dd23ee36cb57324c1eeaa3daed65bc Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Tue, 4 Feb 2025 16:13:27 +0100
+Subject: [PATCH] findif.sh: fix to avoid duplicate route issues
+
+---
+ heartbeat/findif.sh | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/heartbeat/findif.sh b/heartbeat/findif.sh
+index 2ae91e95..6fb47110 100644
+--- a/heartbeat/findif.sh
++++ b/heartbeat/findif.sh
+@@ -217,18 +217,14 @@ findif()
+   fi
+   if [ -n "$nic" ] ; then
+     # NIC supports more than two.
+-    routematch=$(ip -o -f $family route list match $match $proto $scope | grep -v "^\(unreachable\|prohibit\|blackhole\)" | grep "dev $nic " | sed -e 's,^\([0-9.]\+\) ,\1/32 ,;s,^\([0-9a-f:]\+\) ,\1/128 ,' | sort -t/ -k2,2nr)
++    routematch=$(ip -o -f $family route list match $match $proto $scope | grep "dev $nic " | sed -e 's,^\([0-9.]\+\) ,\1/32 ,;s,^\([0-9a-f:]\+\) ,\1/128 ,' | sort -t/ -k2,2nr)
+   else
+-    routematch=$(ip -o -f $family route list match $match $proto $scope | grep -v "^\(unreachable\|prohibit\|blackhole\)" | sed -e 's,^\([0-9.]\+\) ,\1/32 ,;s,^\([0-9a-f:]\+\) ,\1/128 ,' | sort -t/ -k2,2nr)
+-  fi
+-  if [ "$family" = "inet6" ]; then
+-    routematch=$(echo "$routematch" | grep -v "^default")
++    routematch=$(ip -o -f $family route list match $match $proto $scope | sed -e 's,^\([0-9.]\+\) ,\1/32 ,;s,^\([0-9a-f:]\+\) ,\1/128 ,' | sort -t/ -k2,2nr)
+   fi
+ 
+-  if [ $(echo "$routematch" | wc -l) -gt 1 ]; then
+-    ocf_exit_reason "More than 1 routes match $match. Unable to decide which route to use."
+-    return $OCF_ERR_GENERIC
+-  fi
++  # ignore matches from unrelated tables, and sort by metric to get the route with the lowest metric
++  routematch=$(echo "$routematch" | awk '!/^(default|unreachable|prohibit|blackhole)/{match($0, /metric ([^ ]+)/, arr); print arr[1], $0}' | sort -k 1n -u | cut -d" " -f 2- | head -1)
++
+   set -- $routematch
+   if [ $# = 0 ] ; then
+     case $OCF_RESKEY_ip in
+-- 
+2.25.1
+
diff --git a/backport-mariadb-add-SSL-TLS-Support-2045.patch b/backport-mariadb-add-SSL-TLS-Support-2045.patch
new file mode 100644
index 0000000000000000000000000000000000000000..25db7d188f53497587d7e7624154cc013eddc2e0
--- /dev/null
+++ b/backport-mariadb-add-SSL-TLS-Support-2045.patch
@@ -0,0 +1,121 @@
+From b4306400423f0db6f22fdc79a619d5ebfc0dada6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ulrich=20G=C3=B6ttlich?=
+ <58074137+vafgoettlich@users.noreply.github.com>
+Date: Tue, 27 May 2025 12:44:07 +0200
+Subject: [PATCH] mariadb: add SSL/TLS-Support (#2045)
+
+---
+ heartbeat/mariadb.in      | 43 +++++++++++++++++++++++++++++++++++++++
+ heartbeat/mysql-common.sh |  9 +++++++-
+ 2 files changed, 51 insertions(+), 1 deletion(-)
+ mode change 100644 => 100755 heartbeat/mariadb.in
+ mode change 100755 => 100644 heartbeat/mysql-common.sh
+
+diff --git a/heartbeat/mariadb.in b/heartbeat/mariadb.in
+old mode 100644
+new mode 100755
+index 1dca98ba..b0b741e0
+--- a/heartbeat/mariadb.in
++++ b/heartbeat/mariadb.in
+@@ -247,6 +247,39 @@ The port on which the Promoted MariaDB instance is listening.
+ <content type="string" default="${OCF_RESKEY_replication_port_default}" />
+ </parameter>
+ 
++<parameter name="replication_require_ssl" unique="0" required="0">
++<longdesc lang="en">
++Enables SSL connection to local MySQL service for replication user.
++i.e. if REQUIRE SSL for replication user in MySQL set, this should be set to "true".
++</longdesc>
++<shortdesc lang="en">MySQL replication require ssl</shortdesc>
++<content type="string" default="${OCF_RESKEY_replication_require_ssl_default}" />
++</parameter>
++
++<parameter name="replication_master_ssl_ca" unique="0" required="0">
++<longdesc lang="en">
++The SSL CA certificate to be used for replication over SSL.
++</longdesc>
++<shortdesc lang="en">MySQL replication SSL CA certificate</shortdesc>
++<content type="string" default="${OCF_RESKEY_replication_master_ssl_ca_default}" />
++</parameter>
++
++<parameter name="replication_master_ssl_cert" unique="0" required="0">
++<longdesc lang="en">
++The SSL CA certificate to be used for replication over SSL.
++</longdesc>
++<shortdesc lang="en">MySQL replication SSL certificate</shortdesc>
++<content type="string" default="${OCF_RESKEY_replication_master_ssl_cert_default}" />
++</parameter>
++
++<parameter name="replication_master_ssl_key" unique="0" required="0">
++<longdesc lang="en">
++The SSL certificate key to be used for replication over SSL.
++</longdesc>
++<shortdesc lang="en">MySQL replication SSL certificate key</shortdesc>
++<content type="string" default="${OCF_RESKEY_replication_master_ssl_key_default}" />
++</parameter>
++
+ </parameters>
+ 
+ <actions>
+@@ -255,6 +288,7 @@ The port on which the Promoted MariaDB instance is listening.
+ <action name="status" timeout="60s" />
+ <action name="monitor" depth="0" timeout="30s" interval="20s" />
+ <action name="monitor" role="Promoted" depth="0" timeout="30s" interval="10s" />
++<action name="monitor" role="Unpromoted" depth="0" timeout="30s" interval="30s" />
+ <action name="promote" timeout="120s" />
+ <action name="demote" timeout="120s" />
+ <action name="notify" timeout="90s" />
+@@ -600,6 +634,7 @@ check_slave() {
+ 
+ set_master() {
+     local new_master=$($CRM_ATTR_REPL_INFO --query  -q)
++    local master_ssl_params
+ 
+     # Informs the MariaDB server of the master to replicate
+     # from. Accepts one mandatory argument which must contain the host
+@@ -607,12 +642,20 @@ set_master() {
+     # from the laste master the slave replicated from, or freshly
+     # reset with RESET MASTER.
+     ocf_log info "Changing MariaDB configuration to replicate from $new_master."
++    if [ -n "$OCF_RESKEY_replication_master_ssl_ca" ] && [ -n "$OCF_RESKEY_replication_master_ssl_cert" ] && [ -n "$OCF_RESKEY_replication_master_ssl_key" ]; then
++        master_ssl_params="MASTER_SSL=1, \
++                MASTER_SSL_CA='$OCF_RESKEY_replication_master_ssl_ca', \
++                MASTER_SSL_CERT='$OCF_RESKEY_replication_master_ssl_cert', \
++                MASTER_SSL_KEY='$OCF_RESKEY_replication_master_ssl_key', "
++    fi
++
+ 
+     ocf_run $MYSQL $MYSQL_OPTIONS_REPL \
+         -e "CHANGE MASTER TO MASTER_HOST='$new_master', \
+         MASTER_PORT=$OCF_RESKEY_replication_port, \
+         MASTER_USER='$OCF_RESKEY_replication_user', \
+         MASTER_PASSWORD='$OCF_RESKEY_replication_passwd', \
++        $master_ssl_params \
+         MASTER_USE_GTID=current_pos";
+ }
+ 
+diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
+old mode 100755
+new mode 100644
+index d6b4e3cd..7b842272
+--- a/heartbeat/mysql-common.sh
++++ b/heartbeat/mysql-common.sh
+@@ -97,7 +97,14 @@ MYSQL_BINDIR=`dirname ${OCF_RESKEY_binary}`
+ 
+ MYSQL=$OCF_RESKEY_client_binary
+ if ocf_is_true "$OCF_RESKEY_replication_require_ssl"; then
+-  MYSQL_OPTIONS_LOCAL_SSL_OPTIONS="--ssl-mode=REQUIRED"
++  if [ "${OCF_RESOURCE_TYPE}" = "mariadb" ] ; then
++    MYSQL_OPTIONS_LOCAL_SSL_OPTIONS="--ssl"
++    if [ -n "${OCF_RESKEY_replication_master_ssl_ca}" ] ; then
++        MYSQL_OPTIONS_LOCAL_SSL_OPTIONS="${MYSQL_OPTIONS_LOCAL_SSL_OPTIONS} --ssl-ca=${OCF_RESKEY_replication_master_ssl_ca}"
++    fi
++  else
++    MYSQL_OPTIONS_LOCAL_SSL_OPTIONS="--ssl-mode=REQUIRED"
++  fi
+ else
+   MYSQL_OPTIONS_LOCAL_SSL_OPTIONS=""
+ fi
+-- 
+2.25.1
+
diff --git a/resource-agents.spec b/resource-agents.spec
index 4342d3d869115ab4453c1f45ced44a6cdc38ea6d..519ac0a0e0c3b492b0828e1dd859c32b880b95db 100644
--- a/resource-agents.spec
+++ b/resource-agents.spec
@@ -1,7 +1,7 @@
 Name:                resource-agents
 Summary:             Open Source HA Reusable Cluster Resource Scripts
 Version:             4.16.0
-Release:             7
+Release:             8
 License:             GPLv2+ and LGPLv2+
 URL:                 https://github.com/ClusterLabs/resource-agents
 Source0:             https://github.com/ClusterLabs/resource-agents/releases/tag/v%{version}.tar.gz
@@ -16,6 +16,10 @@ Patch0007:           backport-awsvip-let-user-specify-which-interface-to-use-and
 Patch0008:           backport-Filesystem-dont-report-warnings-when-creating-a-File.patch
 Patch0009:           backport-Filesystem-fix-getting-the-wrong-block-device-when-d.patch
 Patch0010:           backport-Filesystem-remove-validate-all-fstype-check-as-there.patch
+Patch0011:           backport-IPaddr2-add-link-status-DOWN-LOWERLAYERDOWN-check.patch
+Patch0012:           backport-findif.sh-fix-to-avoid-duplicate-route-issues.patch
+Patch0013:           backport-mariadb-add-SSL-TLS-Support-2045.patch
+
 Obsoletes:           heartbeat-resources <= %{version}
 Provides:            heartbeat-resources = %{version}
 BuildRequires:       automake autoconf pkgconfig gcc perl-interpreter perl-generators python3-devel
@@ -113,6 +117,11 @@ export CFLAGS="$(echo '%{optflags}')"
 %{_mandir}/man8/{ocf-tester.8*,ldirectord.8*}
 
 %changelog
+* Mon Oct 20 2025 bizhiyuan <bizhiyuan@kylinos.cn> - 4.16.0-8
+- findif.sh: fix to avoid duplicate route issues
+- mariadb: add SSL/TLS-Support
+- IPaddr2: add link status DOWN/LOWERLAYERDOWN check
+
 * Fri Aug 22 2025 zouzhimin <zouzhimin@kylinos.cn> - 4.16.0-7
 - Filesystem: dont report warnings when creating a Filesystem resource
 - Filesystem: fix getting the wrong block device when doing grep