Project

General

Profile

Actions

Feature #12702

closed

Use consistent pf host ID and add GUI option to set a custom host ID in state synchronization settings

Added by Jim Pingle almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
High Availability
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default

Description

On system_hasync.php we should add a GUI field to set a custom pf hostid value. This value is a 32-bit number which uniquely identifies the host which created a given pf state. It doesn't need to be globally unique, only unique within a given set of nodes participating in HA sync (e.g. primary and secondary nodes would have a different ID, but it could be as simple as 1 and 2)

By default pf uses a random 32-bit value that changes on each filter reload. Using a custom static value would make it easier to spot in the state data, CARP status page, and so on. It also allows us to kill a state only if it was created on a specific host.

We could try to automatically set an ID based on some criteria (LAN IP address, etc) but it may be hard to ensure it's unique between nodes participating in pfsync without letting the user have a manual way to override the value.

In the GUI this field would go on system_hasync.php in the "State Synchronization Settings" section. It should be labeled "Filter Host ID" and be a text box entry.

pf allows it to be set as an integer (e.g. 222) or hex string (0x12345678) but it seems happier with a hex string as that's what it displays in the state data. Sticking to hex strings would make the GUI input and status output more consistent.

In pf.conf the ID is set like this:

set hostid 0x12345678

That would go around line 336 in filter.inc where we generate the ruleset (at the start of limitrules) or near there and should only be set if the configuration contains a valid value. Similar to this, but with better validation:

    if (!empty($config['hasync']['pfhostid'])) {
        $limitrules .= "set hostid 0x{$config['hasync']['pfhostid']}\n";
    }

Related issues

Related to Bug #12703: pf ``hostid`` value is handled inconsistentlyResolvedKristof Provost

Actions
Actions

Also available in: Atom PDF