Feature #12702
closedUse consistent pf host ID and add GUI option to set a custom host ID in state synchronization settings
0%
Description
On system_hasync.php
we should add a GUI field to set a custom pf hostid
value. This value is a 32-bit number which uniquely identifies the host which created a given pf state. It doesn't need to be globally unique, only unique within a given set of nodes participating in HA sync (e.g. primary and secondary nodes would have a different ID, but it could be as simple as 1 and 2)
By default pf uses a random 32-bit value that changes on each filter reload. Using a custom static value would make it easier to spot in the state data, CARP status page, and so on. It also allows us to kill a state only if it was created on a specific host.
We could try to automatically set an ID based on some criteria (LAN IP address, etc) but it may be hard to ensure it's unique between nodes participating in pfsync without letting the user have a manual way to override the value.
In the GUI this field would go on system_hasync.php
in the "State Synchronization Settings" section. It should be labeled "Filter Host ID" and be a text box entry.
pf allows it to be set as an integer (e.g. 222
) or hex string (0x12345678
) but it seems happier with a hex string as that's what it displays in the state data. Sticking to hex strings would make the GUI input and status output more consistent.
In pf.conf the ID is set like this:
set hostid 0x12345678
That would go around line 336 in filter.inc
where we generate the ruleset (at the start of limitrules) or near there and should only be set if the configuration contains a valid value. Similar to this, but with better validation:
if (!empty($config['hasync']['pfhostid'])) {
$limitrules .= "set hostid 0x{$config['hasync']['pfhostid']}\n";
}
Related issues
Updated by Jim Pingle almost 3 years ago
- Related to Bug #12703: pf ``hostid`` value is handled inconsistently added
Updated by Jim Pingle almost 3 years ago
- Description updated (diff)
Updated description, it works better when set in $limitrules
Updated by Jim Pingle almost 3 years ago
- Status changed from New to In Progress
- Assignee set to Jim Pingle
- Target version changed from CE-Next to 2.7.0
Updated by Jim Pingle almost 3 years ago
- Status changed from In Progress to Pull Request Review
Updated by Jim Pingle almost 3 years ago
- Status changed from Pull Request Review to Feedback
Changes merged, will be in snapshots soon for testing.
Updated by Christopher Cope almost 3 years ago
Tested, from the patch, on both a single system and a HA pair all running
22.05-DEVELOPMENT (amd64) built on Wed Mar 16 06:19:09 UTC 2022 FreeBSD 12.3-STABLE
Everything seems to work as expected.
One thing of note is setting the ID to deadbeef results in the status showing efbeadde. I assume that is related to endianness. If that is expected, I think we should have a note or some way of handling that. If the user is expecting it to match their input exactly, which I think is reasonable, that could lead to issues unless they check the status page first.
#12703 was the cause of the above issue.
Everything looks good on
22.05-DEVELOPMENT (amd64) built on Fri Mar 18 06:18:01 UTC 2022 FreeBSD 12.3-STABLE
Updated by Jim Pingle almost 3 years ago
That's from #12703 and is fixed on snapshots later than what you're running. Upgrade and test again.
Updated by Christopher Cope over 2 years ago
Marking resolved. As noted above, everything was good from version
22.05-DEVELOPMENT (amd64) built on Fri Mar 18 06:18:01 UTC 2022 FreeBSD 12.3-STABLE
and on.
Updated by Christopher Cope over 2 years ago
- Status changed from Feedback to Resolved
Updated by Jim Pingle over 2 years ago
- Subject changed from GUI option for custom host ID in state synchronization settings to Use consistent pf host ID and add GUI option to set a custom host ID in state synchronization settings
Updating subject for release notes.