HA firewall cannot manage interfaces with long bond names #1478
Description
Description
When bond interface names are too long, the interface cannot be correctly managed by firewalls in HA mode.
In HA setups, interface names are combined with additional fixed suffixes to generate HA-specific interface identifiers. Since Linux network interface names have a hard limit of 15 characters, long bond names can cause the resulting interface name to exceed this limit, making the interface unusable or inconsistent across HA nodes.
Why this is a problem
Firewall rules and HA synchronization rely on deterministic and valid interface names. If the generated interface name exceeds the 15-character limit, the firewall in HA mode cannot correctly manage the interface, leading to broken or partially applied configurations.
This problem is not obvious to the user and can easily occur during normal configuration workflows.
Steps to reproduce
- Configure NethSecurity 8.7.1 in HA mode.
- Create a bond interface with a name longer than 9 chars, like
bond012345 - Observe that the interface is not correctly managed or synchronized by the HA firewall.
Expected behavior
The system should prevent the creation of bond interfaces whose derived interface names would exceed the 15-character limit in HA mode.
Actual behavior
The UI allows the creation of bond interfaces with names that, once combined with VLAN and HA suffixes, exceed the 15-character limit, causing the interface to be unusable in HA mode.
Additional context
In the worst-case scenario, when VLANs are used in HA mode, the generated interface name follows this format:
bond-XX.4096:ha
The total length limit is 15 characters. Since the following parts are fixed:
bond-(5 characters).4096(5 characters):ha(3 characters)
Only 2 characters remain available for the bond identifier (XX).
Suggested improvement
- Restrict the bond identifier length to exactly 2 characters
- Rename the field from name to ID to clearly communicate that this is a short, technical identifier rather than a descriptive label.
- Encourage numeric values for the bond ID to reduce ambiguity and prevent invalid configurations.
This validation would make the limitation explicit, prevent broken HA setups, and guide users toward safe and predictable configurations.