API Firewall Rule management

[Fright]

Hi
hm. its phalcon getHTTPReferer() function. need some time to check how it works with api calls )
anyway i agree its worth opening a github ticket

[ansibleguy]

Hi.

We solved it somehow.

It seems if you target the deprecated 'addDot' API endpoints - it works.

Code: [Select]

REQUEST: POST | HEADERS: '{'Referer': 'https://FW/ui/unbound/forward', 'Content-Type': 'application/json'}' | URL: https://FW/api/unbound/settings/addDot | DATA: {'dot': {'type': 'forward', 'enabled': 1, 'domain': 'tmp.at', 'server': '1.1.1.1', 'port': 53}}

The type seems to only be set to the 'Referer' value if the target method does not exist.. (?) 

- AnsibleGuy

[Fright]

We solved it somehow.

looks like i need to sleep .. did not notice endpoint on previous post.
addDot not deprecated. this is correct endpoint imho. then the call is intercepted and forwarded to ***ForwardAction (not "***forwardAction") functions, considering Referer header value.

[ansibleguy]

Hi.

If 'dot*' are non-deprecated methods/endpoints we should add it to the docs: https://docs.opnsense.org/development/api/core/unbound.html

I'm satisfied - it works

- AnsibleGuy

[ansibleguy]

Hi.

I'm back again

Today I have a question regarding the automation/api-managed rules.

API reference: https://docs.opnsense.org/development/api/plugins/firewall.html


Someone reported to me that in those rules one cannot choose a gateway group as target-gateway.

Per example:
1. Using the automation rules:


2. Using the default web-ui rules:


Can someone tell me whether this is intentional or that's a bug/missing functionality? 

Anyway - this is a very commonly used functionality and therefore would be nice to be available using the API.

- AnsibleGuy

[ansibleguy]

Hi.

The missing GW-Groups make the API 'unusable' for many practical use-cases.  :'(

@Fright would you know something about that functionality?

As I have not got much experience developing PHP I'm not really able to read into the OPNSense code 

- AnsibleGuy

[Fright]

Hi!
No, as far as I understand the model, now the use of groups is not possible: the field is validated based on the /scripts/routes/gateways.php return and it does not return groups.

If you'll excuse me, I think you're doing a great job.
I just think it might be more efficient to open a github ticket with all the accumulated questions?
There we could listen to the opinion of the developers about the API development direction and possibly (personally, I would be happy to, if circumstances permit) to participate.
This IMHO definitely contributed to the improvement of the product and, who knows, in the future it would allow migrating the firewall to the MVC )

[ansibleguy]

Hi.

Thank you for your response. 

You are right - I'll open tickets regarding my findings. Makes sense.

I just wanted to ask beforehand as I could've overlooked something.

- AnsibleGuy

[ansibleguy]

Hi.

FYI:

• os-firewall gateway-groups not available: https://github.com/opnsense/plugins/issues/3139
• os-firewall aliases in use can be deleted: https://github.com/opnsense/plugins/issues/3140
• unbound query-forwarding: https://github.com/opnsense/core/issues/6047

- AnsibleGuy