XMLRPC sync fixes and improvements

- Add CARP/HA sync option
- Add enable/disable checkbox per replication target
- Add protocol/port selection
- Add timeout setting
- Fix literal IPv6 handling for sync targets
- Do settings validation and only try to sync when configuration is valid
- Some code style touches while here

1 files changed, 108 insertions, 73 deletions

diff --git a/config/ipguard/ipguard.inc b/config/ipguard/ipguard.inc
index 68e08e9f..d51e4fe2 100644
--- a/config/ipguard/ipguard.inc
+++ b/config/ipguard/ipguard.inc
@@ -31,7 +31,6 @@ require_once("config.inc");
 require_once("util.inc");
 
 function ipguard_custom_php_deinstall_command() {
-	stop_service('ipguard');
 	unlink_if_exists("/usr/local/etc/rc.d/ipguard.sh");
 	$files = glob("/usr/local/etc/ipguard_*.conf");
 	unlink_if_exists($files);
@@ -50,8 +49,7 @@ function ipguard_custom_php_write_config() {
 	}
 
 	if (is_array($config['installedpackages']['ipguard']['config'])) {
-		// Read config
-		$new_config=array();
+		$new_config = array();
 		foreach ($config['installedpackages']['ipguard']['config'] as $ipguard) {
 			if ($ipguard['enable'] && $ipguard['interface'] && $ipguard['mac'] && $ipguard['ip']) {
 				$new_config[$ipguard['interface']] .= "{$ipguard['mac']} {$ipguard['ip']} {$ipguard['description']}\n";
@@ -59,8 +57,8 @@ function ipguard_custom_php_write_config() {
 		}
 	}
 
-	$start="";
-	$stop="pkill -anx ipguard";
+	$start = "";
+	$stop = "/bin/pkill -anx ipguard";
 	conf_mount_rw();
 	/* Create rc script and restart service if ipguard is enabled */
 	if (count($new_config) > 0 && $ipguard['enable']) {
@@ -81,13 +79,8 @@ function ipguard_custom_php_write_config() {
 				$iface = convert_friendly_interface_to_real_interface_name($key);
 				$start .= "/usr/local/sbin/ipguard -l /var/log/ipguard_{$key}.log -p /var/run/ipguard_{$key}.pid -f {$conf_file} -u 300 -z {$iface}\n\t";
 			}
-			write_rcfile(array(
-					'file' => 'ipguard.sh',
-					'start' => $start,
-					'stop' => $stop
-					));
+			write_rcfile(array('file' => 'ipguard.sh', 'start' => $start, 'stop' => $stop));
 			restart_service('ipguard');
-
 	} else {
 		/* Otherwise, stop the service and remove rc script */
 		stop_service('ipguard');
@@ -96,7 +89,6 @@ function ipguard_custom_php_write_config() {
 	}
 	conf_mount_ro();
 
-	/* Sync config with other pfSense servers */
 	ipguard_sync_on_changes();
 }
 
@@ -104,64 +96,111 @@ function ipguard_custom_php_write_config() {
 function ipguard_sync_on_changes() {
 	global $config, $g;
 
-	if (is_array($config['installedpackages']['ipguardsync'])) {
-		if ($config['installedpackages']['ipguardsync']['config'][0]['synconchanges']) {
+	if (is_array($config['installedpackages']['ipguardsync']['config'])) {
+		$ipguard_sync = $config['installedpackages']['ipguardsync']['config'][0];
+		$synconchanges = $ipguard_sync['synconchanges'];
+		$synctimeout = $ipguard_sync['synctimeout'] ?: '250';
+		switch ($synconchanges) {
+			case "manual":
+				if (is_array($ipguard_sync['row'])) {
+					$rs = $ipguard_sync['row'];
+				} else {
+					log_error("[ipguard] XMLRPC sync is enabled but there are no hosts configured as replication targets.");
+					return;
+				}
+				break;
+			case "auto":
+				if (is_array($config['hasync'])) {
+					$system_carp = $config['hasync'];
+					$rs[0]['ipaddress'] = $system_carp['synchronizetoip'];
+					$rs[0]['username'] = $system_carp['username'];
+					$rs[0]['password'] = $system_carp['password'];
+					$rs[0]['syncdestinenable'] = FALSE;
+
+					// XMLRPC sync is currently only supported over connections using the same protocol and port as this system
+					if ($config['system']['webgui']['protocol'] == "http") {
+						$rs[0]['syncprotocol'] = "http";
+						$rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '80';
+					} else {
+						$rs[0]['syncprotocol'] = "https";
+						$rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '443';
+					}
+					if ($system_carp['synchronizetoip'] == "") {
+						log_error("[ipguard] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets.");
+						return;
+					} else {
+						$rs[0]['syncdestinenable'] = TRUE;
+					}
+				} else {
+					log_error("[ipguard] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets.");
+					return;
+				}
+				break;
+			default:
+				return;
+				break;
+		}
+		if (is_array($rs)) {
 			log_error("[ipguard] XMLRPC sync is starting.");
-			foreach ($config['installedpackages']['ipguardsync']['config'] as $rs ) {
-				foreach ($rs['row'] as $sh) {
+			foreach ($rs as $sh) {
+				// Only sync enabled replication targets
+				if ($sh['syncdestinenable']) {
 					$sync_to_ip = $sh['ipaddress'];
+					$port = $sh['syncport'];
+					$username = $sh['username'] ?: 'admin';
 					$password = $sh['password'];
-					if ($password && $sync_to_ip) {
-						ipguard_do_xmlrpc_sync($sync_to_ip, $password);
+					$protocol = $sh['syncprotocol'];
+
+					$error = '';
+					$valid = TRUE;
+
+					if ($password == "") {
+						$error = "Password parameter is empty. ";
+						$valid = FALSE;
+					}
+					if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) {
+						$error .= "Misconfigured Replication Target IP Address or Hostname. ";
+						$valid = FALSE;
+					}
+					if (!is_port($port)) {
+						$error .= "Misconfigured Replication Target Port. ";
+						$valid = FALSE;
+					}
+					if ($valid) {
+						ipguard_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout);
+					} else {
+						log_error("[ipguard] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}");
 					}
 				}
 			}
-			log_error("[ipguard] XMLRPC sync is ending.");
+			log_error("[ipguard] XMLRPC sync completed.");
 		}
-	}
+ 	}
 }
 
 /* Do the actual XMLRPC sync */
-function ipguard_do_xmlrpc_sync($sync_to_ip, $password) {
-	global $config, $g;
+function ipguard_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout) {
+	global $config;
 
-	if (!$password) {
+	if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") {
+		log_error("[ipguard] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync");
 		return;
 	}
 
-	if (!$sync_to_ip) {
-		return;
+	// Take care of IPv6 literal address
+	if (is_ipaddrv6($sync_to_ip)) {
+		$sync_to_ip = "[{$sync_to_ip}]";
 	}
 
-	$username = 'admin';
-	$xmlrpc_sync_neighbor = $sync_to_ip;
-	if ($config['system']['webgui']['protocol'] != "") {
-		$synchronizetoip = $config['system']['webgui']['protocol'];
-		$synchronizetoip .= "://";
-	}
-	$port = $config['system']['webgui']['port'];
-	/* If port is empty, let's rely on the protocol selection */
-	if ($port == "") {
-		if ($config['system']['webgui']['protocol'] == "http") {
-			$port = "80";
-		} else {
-			$port = "443";
-		}
-	}
-	$synchronizetoip .= $sync_to_ip;
+	$url = "{$protocol}://{$sync_to_ip}";
 
-	/* xml will hold the sections to sync */
+	/* XML will hold the sections to sync. */
 	$xml = array();
 	$xml['ipguard'] = $config['installedpackages']['ipguard'];
-	/* Assemble XMLRPC payload */
-	$params = array(
-		XML_RPC_encode($password),
-		XML_RPC_encode($xml)
-	);
-
-	/* Set a few variables needed for sync code; borrowed from filter.inc */
-	$url = $synchronizetoip;
-	log_error("Beginning ipguard XMLRPC sync to {$url}:{$port}.");
+	/* Assemble XMLRPC payload. */
+	$params = array(XML_RPC_encode($password), XML_RPC_encode($xml));
+
+	/* Set a few variables needed for sync code */
 	$method = 'pfsense.merge_installedpackages_section_xmlrpc';
 	$msg = new XML_RPC_Message($method, $params);
 	$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
@@ -169,49 +208,45 @@ function ipguard_do_xmlrpc_sync($sync_to_ip, $password) {
 	if ($g['debug']) {
 		$cli->setDebug(1);
 	}
-	/* send our XMLRPC message and timeout after 250 seconds */
-	$resp = $cli->send($msg, "250");
+	/* Send our XMLRPC message and timeout after defined sync timeout value */
+	$resp = $cli->send($msg, $synctimeout);
 	if (!$resp) {
-		$error = "A communications error occurred while attempting ipguard XMLRPC sync with {$url}:{$port}.";
-		log_error($error);
+		$error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port}.";
+		log_error("[ipguard] {$error}");
 		file_notice("sync_settings", $error, "ipguard Settings Sync", "");
 	} elseif ($resp->faultCode()) {
 		$cli->setDebug(1);
-		$resp = $cli->send($msg, "250");
-		$error = "An error code was received while attempting ipguard XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
-		log_error($error);
+		$resp = $cli->send($msg, $synctimeout);
+		$error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
+		log_error("[ipguard] {$error}");
 		file_notice("sync_settings", $error, "ipguard Settings Sync", "");
 	} else {
-		log_error("ipguard XMLRPC sync successfully completed with {$url}:{$port}.");
+		log_error("[ipguard] XMLRPC sync successfully completed with {$url}:{$port}.");
 	}
 
-	/* tell ipguard to reload our settings on the destination sync host. */
+	/* Tell ipguard to reload our settings on the destination sync host. */
 	$method = 'pfsense.exec_php';
 	$execcmd = "require_once('/usr/local/pkg/ipguard.inc');\n";
 	$execcmd .= "ipguard_custom_php_write_config();";
-	/* assemble xmlrpc payload */
-	$params = array(
-		XML_RPC_encode($password),
-		XML_RPC_encode($execcmd)
-	);
+	/* Assemble XMLRPC payload. */
+	$params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd));
 
-	log_error("ipguard XMLRPC reload data {$url}:{$port}.");
 	$msg = new XML_RPC_Message($method, $params);
 	$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
 	$cli->setCredentials($username, $password);
-	$resp = $cli->send($msg, "250");
+	$resp = $cli->send($msg, $synctimeout);
 	if (!$resp) {
-		$error = "A communications error occurred while attempting ipguard XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
-		log_error($error);
+		$error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
+		log_error("[ipguard] {$error}");
 		file_notice("sync_settings", $error, "ipguard Settings Sync", "");
 	} elseif ($resp->faultCode()) {
 		$cli->setDebug(1);
-		$resp = $cli->send($msg, "250");
-		$error = "An error code was received while attempting ipguard XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
-		log_error($error);
+		$resp = $cli->send($msg, $synctimeout);
+		$error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
+		log_error("[ipguard] {$error}");
 		file_notice("sync_settings", $error, "ipguard Settings Sync", "");
 	} else {
-		log_error("ipguard XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php).");
+		log_error("[ipguard] XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php).");
 	}
 }