pfSense

#!/usr/local/bin/php-cgi -f

<?php

/*

 * rc.carpmaster

 *

 * part of pfSense (https://www.pfsense.org)

 * Copyright (c) 2004-2013 BSD Perimeter

 * Copyright (c) 2013-2016 Electric Sheep Fencing

 * Copyright (c) 2014-2022 Rubicon Communications, LLC (Netgate)

 * All rights reserved.

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 * http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

require_once("functions.inc");

require_once("config.inc");

require_once("notices.inc");

require_once("openvpn.inc");

require_once("ipsec.inc");

require_once("interfaces.inc");

require_once("captiveportal.inc");

if (isset($_GET['interface'])) {

	$argument = $_GET['interface'];

} else {

	$argument = str_replace("\n", "", $argv[1]);

}

$argument = ltrim($argument, '$');

if (!strstr($argument, "@")) {

	log_error("CARP master event triggered from wrong source {$argument}");

	exit;

}

list($vhid, $iface) = explode("@", $argument);

$friendly = convert_real_interface_to_friendly_interface_name($iface);

$friendly_descr = convert_friendly_interface_to_friendly_descr($friendly);

$vips = link_interface_to_vips($friendly, '', $vhid);

if (!is_array($vips)) {

	log_error("CARP master event triggered from wrong source {$argument} - no associated VIPs");

	exit;

}

foreach ($vips as $vip) {

	$notificationmsg = sprintf('HA cluster member "(%1$s@%2$s): (%3$s)" has resumed CARP state "MASTER" for vhid %4$s',

					$vip['subnet'], $iface, $friendly_descr, $vhid);

	notify_all_remote($notificationmsg);

	log_error($notificationmsg);

}

restart_ppp_interfaces_using_interfaces($vips);

/* Start OpenVPN clients running on this VIP, since they should be in the stopped state while the VIP is CARP Backup. */

global $config;

$a_groups = return_gateway_groups_array(true);

foreach (array('server', 'client') as $mode) {

	foreach (config_get_path("openvpn/openvpn-{$mode}", []) as $settings) {

		if (empty($settings)) {

			continue;

		}

		if (substr($settings['interface'], 0, 4) == '_vip') {

			$openvpn_vip = $settings['interface'];

		} else if (is_array($a_groups[$settings['interface']])) {

			// interface is a gateway group, check CARP VIP

			$vip = array_get_path($a_groups, "{$settings['interface']}/0/vip");

			if (substr($vip, 0, 4) == '_vip') {

				$openvpn_vip = $vip;

			}

		} else {

			// this OpenVPN instance not on a CARP VIP

			continue;

		}

		foreach ($vips as $vip) {

			if ($openvpn_vip == "_vip{$vip['uniqid']}") {

				log_error("Starting OpenVPN {$mode} instance on {$friendly_descr} because of transition to CARP master.");

				openvpn_restart($mode, $settings);

			}

		}

	}

}

foreach (config_get_path("ipsec/phase1", []) as $ph1ent) {

	if (empty($ph1ent)) {

		continue;

	}

	if ((substr($ph1ent['interface'], 0, 4) == '_vip') && (in_array($ph1ent['interface'], $vips))) {

		log_error("Reconfiguring IPsec because of transition to CARP master.");

		ipsec_configure();

		break;

	}

}

/* Reconfigure radvd when necessary */

$rafound = false;

foreach (config_get_path("dhcpdv6", []) as $dhcpv6if => $dhcpv6ifconf) {

	if (empty($dhcpv6ifconf)) {

		continue;

	}

	foreach ($vips as $vip) {

		if ($dhcpv6ifconf['rainterface'] == "_vip{$vip['uniqid']}") {

			log_error("Starting radvd instance on {$friendly_descr} because of transition to CARP master.");

			$rafound = true;

		}

	}

}

if ($rafound) {

	services_radvd_configure();

}

/* Reconfigure DHCP Relay when necessary */

if (config_path_enabled('dhcrelay') &&

    (config_get_path('dhcrelay/carpstatusvip') == "_vip{$vip['uniqid']}")) {

	log_error("Starting DHCP Relay service because of transition to CARP master.");

	services_dhcrelay_configure();

}

/* Reconfigure DHCPv6 Relay when necessary */

if (config_path_enabled('dhcrelay6') &&

    (config_get_path('dhcrelay6/carpstatusvip') == "_vip{$vip['uniqid']}")) {

	log_error("Starting DHCPv6 Relay service because of transition to CARP master.");

	services_dhcrelay6_configure();

}

/* Reconfigure captive portal when necessary :

   If we are the primary node, and we are switching back from backup to master : Get user list from the backup node */

if (!empty(config_get_path('captiveportal')) &&

    !empty(config_get_path('hasync/synchronizetoip')) &&

    !empty(config_get_path('hasync/synchronizecaptiveportal'))) {

	$xmlrpc_username = config_get_path('hasync/username');

	if (empty($xmlrpc_username)) {

		$xmlrpc_username = "admin";

	}

	$xmlrpc_port = config_get_path('system/webgui/port');

	if (empty($xmlrpc_port)) {

		if (config_get_path('system/webgui/protocol') == "http") {

			$xmlrpc_port = "80";

		} else {

			$xmlrpc_port = "443";

		}

	}

	foreach (array_keys(config_get_path('captiveportal')) as $cpzone) {

		$rpc_client = new pfsense_xmlrpc_client();

		$rpc_client->setConnectionData(config_get_path('hasync/synchronizetoip'), $xmlrpc_port, $xmlrpc_username, config_get_path('hasync/password'));

		$resp = $rpc_client->xmlrpc_method('captive_portal_sync', array('op' => 'get_databases', 'zone' => $cpzone));

		if (is_array($resp) || !empty($resp)) { // $resp will be an array only if the communication was successful

			// Contains array of connected users (will be stored in SQLite DB)

			$connected_users = unserialize(base64_decode($resp['connected_users']));

			// Contains array of active vouchers (will be stored in active vouchers db)

			$active_vouchers = unserialize(base64_decode($resp['active_vouchers']));

			// Contain bitmask of both in use and expired vouchers (will be stored in "used vouchers" db)

			$expired_vouchers = unserialize(base64_decode($resp['expired_vouchers']));

			// Contains array of usedmacs (will be stored in usedmacs db)

			$usedmacs = unserialize(base64_decode($resp['usedmacs']));

			$cpdb = captiveportal_read_db();

			$unsetindexes = array_column($cpdb, 5);

			if (!empty($unsetindexes)) {

				captiveportal_remove_entries($unsetindexes, true); // true: prevent carp loop

			}

			captiveportal_free_dnrules();

			foreach ($connected_users as $user) {

				if (!is_array($user) || empty($user)) {

					continue;

				}

				$pipeno = captiveportal_get_next_dn_ruleno('auth');

				$attributes = array();

				$attributes['allow_time'] = $user['allow_time'];

				$attributes['session_timeout'] = $user['session_timeout'];

				$attributes['idle_timeout'] = $user['idle_timeout'];

				$attributes['session_terminate_time'] = $user['session_terminate_time'];

				$attributes['interim_interval'] = $user['interim_interval'];

				$attributes['maxbytes'] = $user['traffic_quota'];

				portal_allow($user['ip'], $user['mac'], $user['username'], base64_decode($user['bpassword']), null,

				    $attributes, $pipeno, $user['authmethod'], $user['context'], $user['sessionid'], true);

			}

			foreach ($expired_vouchers as $roll => $vdb) {

				voucher_write_used_db($roll, $vdb);

			}

			foreach ($active_vouchers as $roll => $vouchers) {

				voucher_write_active_db($roll, $vouchers);

			}

			captiveportal_write_usedmacs_db($usedmacs); 

		}

		captiveportal_syslog(sprintf(gettext('Connected users, used vouchers and used MACs have been synchronized from %1$s'), $config['hasync']['synchronizetoip']));

	}

}

openlog("", LOG_PID, LOG_LOCAL0);

$pluginparams = array();

$pluginparams['type'] = 'carp';

$pluginparams['event'] = 'rc.carpmaster';

$pluginparams['interface'] = $argument;

pkg_call_plugins('plugin_carp', $pluginparams);

?>