Feature #12702
closedUse consistent pf host ID and add GUI option to set a custom host ID in state synchronization settings
0%
Description
On system_hasync.php
we should add a GUI field to set a custom pf hostid
value. This value is a 32-bit number which uniquely identifies the host which created a given pf state. It doesn't need to be globally unique, only unique within a given set of nodes participating in HA sync (e.g. primary and secondary nodes would have a different ID, but it could be as simple as 1 and 2)
By default pf uses a random 32-bit value that changes on each filter reload. Using a custom static value would make it easier to spot in the state data, CARP status page, and so on. It also allows us to kill a state only if it was created on a specific host.
We could try to automatically set an ID based on some criteria (LAN IP address, etc) but it may be hard to ensure it's unique between nodes participating in pfsync without letting the user have a manual way to override the value.
In the GUI this field would go on system_hasync.php
in the "State Synchronization Settings" section. It should be labeled "Filter Host ID" and be a text box entry.
pf allows it to be set as an integer (e.g. 222
) or hex string (0x12345678
) but it seems happier with a hex string as that's what it displays in the state data. Sticking to hex strings would make the GUI input and status output more consistent.
In pf.conf the ID is set like this:
set hostid 0x12345678
That would go around line 336 in filter.inc
where we generate the ruleset (at the start of limitrules) or near there and should only be set if the configuration contains a valid value. Similar to this, but with better validation:
if (!empty($config['hasync']['pfhostid'])) {
$limitrules .= "set hostid 0x{$config['hasync']['pfhostid']}\n";
}
Related issues