Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pf-sense-api-client

    Scheduled Pinned Locked Moved Multi-Instance Management
    16 Posts 3 Posters 2.1k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      marcosm Netgate @philippe richard
      last edited by

      Yes if it's the offcial API / Nexus.
      https://github.com/Netgate/pfsense-api

      P 1 Reply Last reply Reply Quote 0
      • P Offline
        philippe richard @marcosm
        last edited by philippe richard

        @marcosm
        Hello, thank you for your response.

        I am experiencing a problem with updating an alias by its ID. The authentication part is working correctly: I can list aliases and retrieve their IDs. However, when I try to update an alias using its ID, I get an error code stating that the alias name does not exist.

        Here is the code example:

        alias_id = "25"  # Remplacez par l'identifiant réel
        nouvel_alias = FWAlias(name="TEST_API",)
        update_req = FWUpdateAliasreq(alias=nouvel_alias, id=alias_id)
        result = firewall_update_alias.sync(client=devApi, id=alias_id, body=update_req)
        print(result)_text
        

        the error message:
        Error(errcode=400, errlevel=<pfapi.types.Unset object at 0x7d55248423c0>, errmsg='name missing', alerts=<pfapi.types.Unset object at 0x7d55248423c0>, additional_properties={})

        and the logs on the pfSense:
        2025-09-03 15:17:09.000000-04:00 pfnet-controller 36252 WARNING 54631 [x.x.x.x:38678] POST /api/aliases/25 (DONE 0.513ms) ERROR: name missing
        2025-09-03 15:17:09.000000-04:00 pfnet-controller 36252 Updating alias name: , ID: 25...
        2025-09-03 15:17:09.000000-04:00 pfnet-controller 36252 > {"alias": {"name": "TEST_API"}, "id": "25"}
        2025-09-03 15:17:09.000000-04:00 pfnet-controller 36252 DEBUG 54631 [x.x.x.x:38678] POST /api/aliases/25

        1 Reply Last reply Reply Quote 0
        • M Offline
          marcosm Netgate
          last edited by

          What pfSense version is that on?

          P 1 Reply Last reply Reply Quote 0
          • P Offline
            philippe richard @marcosm
            last edited by

            @marcosm said in pf-sense-api-client:

            What pfSense version is that on?

            25.07.1-RELEASE (amd64)

            1 Reply Last reply Reply Quote 0
            • M Offline
              marcosm Netgate
              last edited by

              Are you trying to update it using the index number? If so, try using the name; aliases are now identified by their name rather than the index number.

              P 2 Replies Last reply Reply Quote 0
              • P Offline
                philippe richard @marcosm
                last edited by

                @marcosm
                Hello, do you want me to put the alias name in here?

                firewall_update_alias.sync(client=devApi, id=**TEST_API**, body=update_req)
                
                1 Reply Last reply Reply Quote 0
                • P Offline
                  philippe richard @marcosm
                  last edited by philippe richard

                  @marcosm said in pf-sense-api-client:

                  Are you trying to update it using the index number? If so, try using the name; aliases are now identified by their name rather than the index number.

                  Yes, I was updating it using its ID number. If I change the ID to the name, I still get the same error.

                  2025-09-04 16:13:23.000000-04:00 pfnet-controller 2646 WARNING 43643 [x.x.x.x:34302] POST /api/aliases/TEST_API (DONE 1.378ms) ERROR: name missing
                  2025-09-04 16:13:23.000000-04:00 pfnet-controller 2646 Updating alias name: , ID: 25...
                  2025-09-04 16:13:23.000000-04:00 pfnet-controller 2646 > {"alias": {"name": "TEST_API"}, "id": "TEST_API"}

                  L 1 Reply Last reply Reply Quote 0
                  • L Offline
                    ldangpfng @philippe richard
                    last edited by

                    The schema definition was out of sync with the handler; it expects the direct alias structure instead of a nested one. Please pull the repo again and test; you'll need a bit of change in the code:

                    existing_name="a1"
                    update_req = FWUpdateAliasReq(name=existing_name, descr="update-descr")
                    result  = firewall_update_alias.sync(client=devApi, id=existing_name, body=update_req)
                    print(result)
                    

                    A hint on checking if the code in the repository is doing the right thing is to test out what the GUI provides in the request - use the web browser dev-tools Network tab. If what you send doesn't match then we have a glitch in the schema definition that needs resolving.

                    thanks for testing.

                    P 1 Reply Last reply Reply Quote 1
                    • P Offline
                      philippe richard @ldangpfng
                      last edited by philippe richard

                      @ldangpfng
                      Hello,

                      Thank you for your feedback, it's working... but only halfway.

                      If I modify the code as in your example, by putting 'update_req = FWUpdateAliasReq(name=existing_name, descr="update-descr")', the description is updated, but all the other fields become empty.

                      It's as if the request obliges you to include all fields, and not just the one you want to modify.

                      L 1 Reply Last reply Reply Quote 0
                      • L Offline
                        ldangpfng @philippe richard
                        last edited by

                        @philippe-richard

                        In general, yes: get the existing values, modify, and then post changes. Some functions don't need all of that and do update-only-values-provided type of thing. A lot of the input values are an attempt to map the API set to the backend configuration, a significant number of them can be confusing (because config.xml is schemaless) and more work needs to be done to make them friendlier with more abstractions.

                        Well aware that the API schema lacks usage descriptions for many structures and endpoints, and we're working on putting that into the schema.

                        P 2 Replies Last reply Reply Quote 0
                        • P Offline
                          philippe richard @ldangpfng
                          last edited by

                          @ldangpfng
                          Hello,

                          thank you for your response.

                          I will continue to use them while keeping in mind that some queries might not work.

                          Therefore, you will likely receive new questions from me when that happens.

                          1 Reply Last reply Reply Quote 0
                          • P Offline
                            philippe richard @ldangpfng
                            last edited by

                            @ldangpfng
                            Hello,

                            I'm currently testing the insert_firewall_rule function and I'm getting the following error:

                            Error(errcode=400, errlevel=<pfapi.types.Unset object at 0x7f4b2854a210>, errmsg='failed to insert rule: insert rule error: unable to find insertion point', alerts=<pfapi.types.Unset object at 0x7f4b2854a210>, additional_properties={})
                            

                            If I'm not mistaken, this error indicates that the system is unable to find the insertion point for the rule. Where should this reference ID be placed? Should it be in the request ?

                            insert_firewall_rule.sync(client=devApi, interface="TI", body=firewall_instance, id="6")
                            

                            Additionally, in the InsertFilterRule model, there's a reference=str value. What exactly is this reference?

                            Thank you in advance for your help.

                            L 1 Reply Last reply Reply Quote 0
                            • L Offline
                              ldangpfng @philippe richard
                              last edited by

                              A rule insertion can be placed at the end (AppendFirewallRule()) or before/after a specific rule (specified by its id) with InsertFirewallRule(). The id is label given to each rule item when you retrieve the list of rules.

                              8fbbe0ad-871c-40a5-b308-ee99d59c1df9-image.png

                              The after attribute to the InsertFirewallRule call tells the handler whether you want to put it before or after the provided id.

                              Ignore reference=str value, it is a stale field that needs to be removed because the query string for id is intended for this.

                              P 1 Reply Last reply Reply Quote 0
                              • P Offline
                                philippe richard @ldangpfng
                                last edited by

                                @ldangpfng
                                Hello,

                                thank you for your response.

                                Actually, the ID that needs to be entered is the one of the style "opt1_1757505116", and not the one that appears in the browser's URL when you edit a rule, which looks like "firewall_rules_edit.php?id=7".
                                Now that I have corrected my mistake, it works.

                                Thank you again.

                                L 1 Reply Last reply Reply Quote 0
                                • L Offline
                                  ldangpfng @philippe richard
                                  last edited by

                                  @philippe-richard

                                  use the new UI (by default it listens on port 8443), which will let you see the API calls, similar to the screenshot of the web devtools above, where the id is derived from a unique value of the rule entry. This is unlike the PHP pages which do not have an API and assume one admin accessing the page at any time, so submitting from *_edit.php?id=7 could end up hitting the wrong entry if two people are modifying the rules at the same time.

                                  1 Reply Last reply Reply Quote 1
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.