search

ndejong / pfsense_fauxapi

REST based API interface for pfSense 2.3.x and 2.4.x to facilitate devops
Apache License 2.0
354 stars 61 forks source link

bash client: alias and firewall rules patching #52

Open Methraton opened 5 years ago

Methraton commented 5 years ago

Hi, I don’t know howw to contact you for clarification. I hope this is a good way. I’ve setup fauxapi to a test installation. I’m trying to use bash client to make changes to the existing configuration and see how it works on the device. I see the same issue with pfsense version 2.4.3 and 2.4.4.p3

I’m able to get the config using the script with _system_config=$(fauxapi_config_get ${fauxapihost})

I’m facing two problems: One with real alias value , on with rules patching

Real Alias Value I’m able to change the value of an alias with _fauxapi_config_patch $fauxapi_host /root/Desktop/pfsalias.cfg (the file contains the json needed that changes the only alias from 192.168.204.55 to 192.168.204.54) but the change is only aesthetical (the alis value is displayed correctly in the gui, but the value in diagnostic>Tables>Alias_name is still the old one (the only way to change it is mannually via Status>Filter Reload> Reload Filter)

Rules patching the other problem is that when i try to patch the firewall rules (even with a unmodifyed copy of the same rules) I get an error like this one

_{ "callid": "5d4a943c378b4", "action": "config_patch", "message": "failed to patch config data", "logs": [ { "INFO": "20190807Z110500 :: fauxapi\v1\fauxApi::__call", "DATA": { "user_action": "config_patch", "callid": "5d4a943c378b4", "client_ip": "192.168.204.54" } }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApi::check_user_action_call" }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApiAuth::is_authenticated" }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApiAuth::load_credentials" }, { "DEBUG": "20190807Z110500 :: valid auth for call", "DATA": { "apikey": "PFFATestUser", "callid": "5d4a943c378b4", "client_ip": "192.168.204.54" } }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApiAuth::is_authorized" }, { "DEBUG": "20190807Z110500 :: permit allows action", "DATA": { "action": "config_patch", "permit": "", "permits": [ "" ] } }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApi::check_user_action_call() checks all passed" }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApiActions::config_patch" }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApiPfsenseInterface::config_patch", "DATA": { "do_backup": true, "do_reload": true } }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApiPfsenseInterface::config_load", "DATA": { "config_file": "/cf/conf/config.xml" } }, { "INFO": "20190807Z110500 :: config_patch merged with current config, attempting to save" }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApiPfsenseInterface::config_save", "DATA": { "do_backup": true, "do_reload": true } }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApiPfsenseInterface::config_backup", "DATA": "/cf/conf/config.xml" }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApiPfsenseInterface::get_next_backup_config_filename", "DATA": { "type": "pfsense" } }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApiPfsenseInterface::config_load", "DATA": { "config_file": "/cf/conf/config.xml" } }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApiPfsenseInterface::config_load", "DATA": { "config_file": "/cf/conf/backup/config-1565168700.xml" } }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApiPfsenseInterface::config_load", "DATA": { "config_file": "/cf/conf/config.xml" } }, { "DEBUG": "20190807Z110500 :: attempting to (re)load a temp copy of the config supplied", "DATA": { "config_temp_file": "/tmp/fauxApi_wpSDSf" } }, { "DEBUG": "20190807Z110500 :: fauxapi\v1\fauxApiPfsenseInterface::config_load", "DATA": { "config_file": "/tmp/fauxApiwpSDSf" } }, { "ERROR": "20190807Z110500 :: saved config does not match config when saved and reloaded" } ] }

Thanks for any suport you can provide.

ndejong commented 4 years ago

Hi @Methraton -

There are two issues here, the first one is easy, you can issue a send_event with POST data filter reload to cause the same reload action you are doing in the GUI https://github.com/ndejong/pfsense_fauxapi#user-content-send_event

The second issue is not so clear from the description provided, however the error you are getting is the built in mechanism that prevents a bad config from being saved in the first place, so something is somehow not right - based on what you have described it sounds-like you might be trying to patch something that should just be saved with config_set https://github.com/ndejong/pfsense_fauxapi#user-content-config_set

let us know how it goes

tman785 commented 4 years ago

I actually have a similar problem as your second issue. I'm using config_patch to simply disable a rule, and I get a similar error

my json file looks like this: { "filter": { "rule":{ "id": "", "tracker": "1xxxxx", "type": "block", "interface": "lan", "ipprotocol": "inet", "disabled":"", "tag": "", "tagged": "", "max": "", "max-src-nodes": "", "max-src-conn": "", "max-src-states": "", "statetimeout": "", "statetype": "keep state", "os": "", "protocol": "icmp", "icmptype": "any", "source": { "address": "192.xxxxxx" }, "destination": { "address": "4.2.2.2" }, "descr": "", "created": { "time": "1579288662", "username": "xxxxxxx)" }, "updated": { "time": "1579289266", "username": "xxxxxx" } } } }