Where can I find information on the backup/restore XML schema?

imthenachoman

I am working on a tool (https://github.com/imthenachoman/pfSense-Firewall-Rules-Manager) to work with pfSense's FW XML backup.

I'm having trouble with getting pfSense to import an XML file I create. It imports properly but the rules don't seem active. I'm not sure why because the XML I create seems to have everything it needs/expect.

Hoping someone can point me to the XML schema so I can maybe figure out what I am doing wrong.

noplan

@imthenachoman

What r u doin after u changed the xml?

When I changed xml I go to the rules move a separator an save and apply and works
Keeps me avoiding a reboot

imthenachoman

@noplan

I think I am going crazy.

I imported an XML file my tool created and it didn't work. Did this 15+ times with the same XML file and it didn't work.

I gave up, came back a few hours later, imported the same XML file, and it worked.

And by not working, I mean that the rules were there but not registering. For example, I had a rule to allow one VLAN access to the internet but the devices on that VLAN couldn't access the internet.

It seems to be working now. But I would still like the schema so I can ensure the XML my tool generates is accurate.

noplan

@imthenachoman

What do u do after the xml is imported?
Reboot? Or nothing?

What's the standard procedure for your import?

imthenachoman

@noplan Okay. So I was wrong.

When I import my XML and then reboot, they do not work. I import the working backup copy and reboot and they do work.

If I import and don't reboot, they keep working but I assume that's cause of some caching or something.

imthenachoman

@noplan I just saw that there is an error after importing my XML:

There were error(s) loading the rules: /tmp/rules.debug:177: syntax error - The line in question reads [177]: block return in log quick on $LAN inet proto any from !192.168.1.0/24 to any tracker 1609008158 label &quot;USER_RULE: reject anything not from net&quot;
@ 2021-01-31 11:42:07

And this is the rule for that tracker ID:

    <rule>
            <type>reject</type>
            <interface>lan</interface>
            <ipprotocol>inet</ipprotocol>
            <protocol>any</protocol>
            <source>
                <network>lan</network>
                <not />
            </source>
            <destination>
                <any />
            </destination>
            <log />
            <descr><![CDATA[reject anything not from net]]></descr>
            <tracker>1609008158</tracker>
            <statetype><![CDATA[keep state]]></statetype>
        </rule>

Not sure what is wrong...

imthenachoman

@noplan So I think I figured it out.

Unlike the pfsense backup XML file, my code was not creating empty nodes.

So I fixed that. I create empty nodes.

Now it seems to be working.

Thanks!

noplan

@imthenachoman

Cool thing!
Glad u were able to fix it
BrNP

timblaktu

@imthenachoman did you ever find any official xml schema to base this work on?

Im working on a solution to fully automate the installation/configuration of virtualized pfsense routers, and today i learned that all i have to do is generate a custom config.xml and mount it on boot. So the remaining part for me is to figure out the proper format. All i can find so far is the default confix.xml file in the main pfsense code base. This is workable, but i was hoping to find official xml schema or other spec/tools that would aid in this automation.

Thanks!
Tim

Patch

@timblaktu said in Where can I find information on the backup/restore XML schema?:

So the remaining part for me is to figure out the proper format. All i can find so far is the default confix.xml file

I suggest in pfsense manually configuring several of your installations. Create a back up of each and look at the backup file format. That should clarify what you need for the general case.

Then use https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html

timblaktu

@Patch thanks. My issue is less "what to configure?" and more the actual mechanics of correctly and automatically generating the xml representation. I can reverse engineer a solution from the latest default config.xml in the pfsense repo but this feels archaic in this day and age. I feel this has to be a solved problem..

imthenachoman

@timblaktu No. I never did. :(

Patch

@timblaktu said in Where can I find information on the backup/restore XML schema?:

I can reverse engineer a solution from the latest default config.xml in the pfsense repo

Why on earth start there.
Start by comparing backup configuration files for the range of installation you actually require.

timblaktu

@Patch I'll definitely be looking at example configs pulled from manually-configured pfsense installs, and refining what I need to include in the config.xml. The point of what I'm doing is to fully-automate the pfsense installation, like described here in the docs by providing the installer a config.xml file to apply. This config.xml will be different for different installations on different machines, so I must generate it programatically, which is why I'm asking about the xml schema and/or other config generation tools.