Regression #14322
closedCARP password is not being respected on 23.05 snapshots
100%
Description
On pfSense Plus 23.01, Plus 23.05 snapshots, and CE 2.7.0 snapshots, it appears that the CARP password is not being respected.
On 22.05 and earlier releases, changing a CARP VIP password on the secondary node would cause both nodes to take over MASTER status since they were not able to authenticate messages from their peer. On FreeBSD 14-based builds, the two nodes continue to act as if they have a matching password, taking MASTER and BACKUP roles as circumstances require.
A packet capture shows both old and new builds have "authlen" set when parsed as CARP.
It's not clear if it's related, but when looking at the keying material with ifconfig -k
, older releases printed the actual password while FreeBSD 14 builds print junk data:
22.05:
: ifconfig -k igb1 igb1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 [...] inet 198.51.100.16 netmask 0xffffff00 broadcast 198.51.100.255 inet 198.51.100.210 netmask 0xffffff00 broadcast 198.51.100.255 vhid 210 carp: MASTER vhid 210 advbase 1 advskew 1 key "aaaaaa" [...]
Builds based on FreeBSD 14 print junk for the key:
: ifconfig -k vtnet1 vtnet1: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 [...] inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 vhid 1 carp: MASTER vhid 1 advbase 1 advskew 1 key "���" peer 224.0.0.18 peer6 ff02::12 [...]