Regression #14322
closed
CARP password is not being respected on 23.05 snapshots
100%
Description
On pfSense Plus 23.01, Plus 23.05 snapshots, and CE 2.7.0 snapshots, it appears that the CARP password is not being respected.
On 22.05 and earlier releases, changing a CARP VIP password on the secondary node would cause both nodes to take over MASTER status since they were not able to authenticate messages from their peer. On FreeBSD 14-based builds, the two nodes continue to act as if they have a matching password, taking MASTER and BACKUP roles as circumstances require.
A packet capture shows both old and new builds have "authlen" set when parsed as CARP.
It's not clear if it's related, but when looking at the keying material with ifconfig -k, older releases printed the actual password while FreeBSD 14 builds print junk data:
22.05:
: ifconfig -k igb1
igb1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
[...]
inet 198.51.100.16 netmask 0xffffff00 broadcast 198.51.100.255
inet 198.51.100.210 netmask 0xffffff00 broadcast 198.51.100.255 vhid 210
carp: MASTER vhid 210 advbase 1 advskew 1 key "aaaaaa"
[...]
Builds based on FreeBSD 14 print junk for the key:
: ifconfig -k vtnet1
vtnet1: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
[...]
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 vhid 1
carp: MASTER vhid 1 advbase 1 advskew 1 key "���"
peer 224.0.0.18 peer6 ff02::12
[...]
Updated by Jim Pingle about 1 year ago
- Status changed from Confirmed to In Progress
- Assignee set to Kristof Provost
Kristof is looking into this. He says it's actually two separate problems (the password behavior, and printing out the password).
Updated by Kristof Provost about 1 year ago
https://reviews.freebsd.org/D39874 has the fix(es). I'll give melifaro@ a few days to look at the netlink bits.
Updated by Kristof Provost about 1 year ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
I've committed the fix upstream and cherry-picked it to our branches. This will be fixed in the next snapshots.
Updated by Jim Pingle about 1 year ago
- Subject changed from CARP password is not being respected on FreeBSD 14-based builds to CARP password is not being respected on 23.05 snapshots
- Status changed from Feedback to Resolved
- Private changed from Yes to No
- Release Notes changed from Default to Force Exclusion
Nodes are behaving properly on the current snapshot (23.05.b.20230501.0600) again, thanks!
- If I change the VIP password on the secondary node, both nodes take over as master which is the intended/expected behavior
- If I roll one node back to 23.01, CARP works as expected between the two nodes, taking over master/backup status at the intended times.
ifconfig -k <ifname>prints the expected output:carp: MASTER vhid 1 advbase 1 advskew 101 key "aaaaaa"
Removing private flag and excluding from release notes since this ended up being a regression only on 23.05 development images and not in any release.