pf-sense-api-client
-
Yes if it's the offcial API / Nexus.
https://github.com/Netgate/pfsense-api -
@marcosm
Hello, thank you for your response.I am experiencing a problem with updating an alias by its ID. The authentication part is working correctly: I can list aliases and retrieve their IDs. However, when I try to update an alias using its ID, I get an error code stating that the alias name does not exist.
Here is the code example:
alias_id = "25" # Remplacez par l'identifiant réel nouvel_alias = FWAlias(name="TEST_API",) update_req = FWUpdateAliasreq(alias=nouvel_alias, id=alias_id) result = firewall_update_alias.sync(client=devApi, id=alias_id, body=update_req) print(result)_textthe error message:
Error(errcode=400, errlevel=<pfapi.types.Unset object at 0x7d55248423c0>, errmsg='name missing', alerts=<pfapi.types.Unset object at 0x7d55248423c0>, additional_properties={})and the logs on the pfSense:
2025-09-03 15:17:09.000000-04:00 pfnet-controller 36252 WARNING 54631 [x.x.x.x:38678] POST /api/aliases/25 (DONE 0.513ms) ERROR: name missing
2025-09-03 15:17:09.000000-04:00 pfnet-controller 36252 Updating alias name: , ID: 25...
2025-09-03 15:17:09.000000-04:00 pfnet-controller 36252 > {"alias": {"name": "TEST_API"}, "id": "25"}
2025-09-03 15:17:09.000000-04:00 pfnet-controller 36252 DEBUG 54631 [x.x.x.x:38678] POST /api/aliases/25 -
What pfSense version is that on?
-
-
Are you trying to update it using the index number? If so, try using the name; aliases are now identified by their name rather than the index number.
-
@marcosm
Hello, do you want me to put the alias name in here?firewall_update_alias.sync(client=devApi, id=**TEST_API**, body=update_req) -
@marcosm said in pf-sense-api-client:
Are you trying to update it using the index number? If so, try using the name; aliases are now identified by their name rather than the index number.
Yes, I was updating it using its ID number. If I change the ID to the name, I still get the same error.
2025-09-04 16:13:23.000000-04:00 pfnet-controller 2646 WARNING 43643 [x.x.x.x:34302] POST /api/aliases/TEST_API (DONE 1.378ms) ERROR: name missing
2025-09-04 16:13:23.000000-04:00 pfnet-controller 2646 Updating alias name: , ID: 25...
2025-09-04 16:13:23.000000-04:00 pfnet-controller 2646 > {"alias": {"name": "TEST_API"}, "id": "TEST_API"} -
The schema definition was out of sync with the handler; it expects the direct alias structure instead of a nested one. Please pull the repo again and test; you'll need a bit of change in the code:
existing_name="a1" update_req = FWUpdateAliasReq(name=existing_name, descr="update-descr") result = firewall_update_alias.sync(client=devApi, id=existing_name, body=update_req) print(result)A hint on checking if the code in the repository is doing the right thing is to test out what the GUI provides in the request - use the web browser dev-tools Network tab. If what you send doesn't match then we have a glitch in the schema definition that needs resolving.
thanks for testing.
-
@ldangpfng
Hello,Thank you for your feedback, it's working... but only halfway.
If I modify the code as in your example, by putting 'update_req = FWUpdateAliasReq(name=existing_name, descr="update-descr")', the description is updated, but all the other fields become empty.
It's as if the request obliges you to include all fields, and not just the one you want to modify.
-
In general, yes: get the existing values, modify, and then post changes. Some functions don't need all of that and do update-only-values-provided type of thing. A lot of the input values are an attempt to map the API set to the backend configuration, a significant number of them can be confusing (because config.xml is schemaless) and more work needs to be done to make them friendlier with more abstractions.
Well aware that the API schema lacks usage descriptions for many structures and endpoints, and we're working on putting that into the schema.
-
@ldangpfng
Hello,thank you for your response.
I will continue to use them while keeping in mind that some queries might not work.
Therefore, you will likely receive new questions from me when that happens.
-
@ldangpfng
Hello,I'm currently testing the insert_firewall_rule function and I'm getting the following error:
Error(errcode=400, errlevel=<pfapi.types.Unset object at 0x7f4b2854a210>, errmsg='failed to insert rule: insert rule error: unable to find insertion point', alerts=<pfapi.types.Unset object at 0x7f4b2854a210>, additional_properties={})If I'm not mistaken, this error indicates that the system is unable to find the insertion point for the rule. Where should this reference ID be placed? Should it be in the request ?
insert_firewall_rule.sync(client=devApi, interface="TI", body=firewall_instance, id="6")Additionally, in the InsertFilterRule model, there's a reference=str value. What exactly is this reference?
Thank you in advance for your help.
-
A rule insertion can be placed at the end (
AppendFirewallRule()) or before/after a specific rule (specified by itsid) withInsertFirewallRule(). Theidis label given to each rule item when you retrieve the list of rules.
The
afterattribute to theInsertFirewallRulecall tells the handler whether you want to put it before or after the providedid.Ignore
reference=strvalue, it is a stale field that needs to be removed because the query string foridis intended for this. -
@ldangpfng
Hello,thank you for your response.
Actually, the ID that needs to be entered is the one of the style "opt1_1757505116", and not the one that appears in the browser's URL when you edit a rule, which looks like "firewall_rules_edit.php?id=7".
Now that I have corrected my mistake, it works.Thank you again.
-
use the new UI (by default it listens on port 8443), which will let you see the API calls, similar to the screenshot of the web devtools above, where the
idis derived from a unique value of the rule entry. This is unlike the PHP pages which do not have an API and assume one admin accessing the page at any time, so submitting from*_edit.php?id=7could end up hitting the wrong entry if two people are modifying the rules at the same time.