[solved] Script to disable rules based on keyword



  • I'm trying to write a script to disable rules based on a keyword. So with this code:

    global $config;
    $config = parse_config(true);
    print_r($config);
    exec;
    exit
    

    I figured that I could change the  [filter][rule][0][disabled] variable to get the desired action, correct? What to change it to?

    So what I did was a test and disabled a rule via the GUI, then inspected the [disabled] value, yet it still remained empty, I would have expected it to be set to "yes" or "true". Do I need to run a command to output the updated value with the above code?



  • The fact that the [disabled] 'exists' is enough to disable a rule you can set it to '= true' for example, to enable it again unset() that item and it will disapear from the config.

    As seen here: https://github.com/pfsense/pfsense/blob/a512609213f2a8fd86c7515c9235e1760d7026ed/src/usr/local/www/firewall_rules_edit.php#L884

    		if ($_POST['disabled']) {
    			$filterent['disabled'] = true;
    		} else {
    			unset($filterent['disabled']);
    		}
    

    Then save the changed configuration: https://github.com/pfsense/pfsense/blob/a512609213f2a8fd86c7515c9235e1760d7026ed/src/usr/local/www/firewall_rules_edit.php#L1015

    
    		write_config(gettext("Firewall: Rules - saved/edited a firewall rule."))
    

    Other than that dont forget to 'apply' your new rules :).
    https://github.com/pfsense/pfsense/blob/a512609213f2a8fd86c7515c9235e1760d7026ed/src/usr/local/www/firewall_rules.php#L172
    With a call to:

    
    	$retval |= filter_configure();
    


  • @PiBa:

    The fact that the [disabled] 'exists' is enough to disable a rule you can set it to '= true' for example, to enable it again unset() that item and it will disapear from the config.

    As seen here: https://github.com/pfsense/pfsense/blob/a512609213f2a8fd86c7515c9235e1760d7026ed/src/usr/local/www/firewall_rules_edit.php#L884

    		if ($_POST['disabled']) {
    			$filterent['disabled'] = true;
    		} else {
    			unset($filterent['disabled']);
    		}
    

    Then save the changed configuration: https://github.com/pfsense/pfsense/blob/a512609213f2a8fd86c7515c9235e1760d7026ed/src/usr/local/www/firewall_rules_edit.php#L1015

    
    		write_config(gettext("Firewall: Rules - saved/edited a firewall rule."))
    

    Other than that dont forget to 'apply' your new rules :).
    https://github.com/pfsense/pfsense/blob/a512609213f2a8fd86c7515c9235e1760d7026ed/src/usr/local/www/firewall_rules.php#L172
    With a call to:

    
    	$retval |= filter_configure();
    

    Thanks for the help, however, I'm testing this on one rule with the code that follows which is run from a bash script. I do see the [disabled] variable set, but do not see the rule updated in the web interface.

    #!/bin/sh

    A script to disable pfb_ rules

    cat << EOF > /tmp/run2
    require_once("filter.inc");
    global $config;
    $config = parse_config(true);
    foreach ($config[filter][rule] as $value) {
    if (strpos(strtolower($value[descr]), 'pfb_dnsbl_allow_access_to_vip') !== false) {
    $value[disabled] = true;
    #unset($value[disabled]);
    print_r($value);
    }
    }
    write_config(gettext("Firewall: Rules - saved/edited a firewall rule."));
    $retval |= filter_configure();
    print_r($retval);
    exec;
    exit
    EOF



  • There are a few issues i think :)
    The code you have 'creates' a run2 file, but im not sure how you execute that.. Seemed to be missing the Not enough includes, the $value does not modify the original use &$value to keep the reference to the original array value that needs to be modified.

    I would probably create a php file /root/script.sh that can be directly executed when given execute permissions chmod +x /root/script.sh
    Below code 'works for me' :) .

    #!/usr/local/bin/php-cgi -f
    require_once("globals.inc");
    require_once("filter.inc");
    require_once("util.inc");
    require_once("config.inc");
    
    global $config;
    $config = parse_config(true);
    foreach ($config[filter][rule] as &$value) {
    	if (strpos(strtolower($value[descr]), 'pfb_dnsbl_allow_access_to_vip') !== false) {
    		$value[disabled] = true;
    		//unset($value[disabled]);
    		print_r($value);
    	}
    }
    write_config(gettext("Firewall: Rules - saved/edited a firewall rule."));
    $retval |= filter_configure();
    print_r($retval);
    
    


  • @PiBa:

    There are a few issues i think :)
    The code you have 'creates' a run2 file, but im not sure how you execute that.. Seemed to be missing the Not enough includes, the $value does not modify the original use &$value to keep the reference to the original array value that needs to be modified.

    I would probably create a php file /root/script.sh that can be directly executed when given execute permissions chmod +x /root/script.sh
    Below code 'works for me' :) .

    #!/usr/local/bin/php-cgi -f
    require_once("globals.inc");
    require_once("filter.inc");
    require_once("util.inc");
    require_once("config.inc");
    
    global $config;
    $config = parse_config(true);
    foreach ($config[filter][rule] as &$value) {
    	if (strpos(strtolower($value[descr]), 'pfb_dnsbl_allow_access_to_vip') !== false) {
    		$value[disabled] = true;
    		//unset($value[disabled]);
    		print_r($value);
    	}
    }
    write_config(gettext("Firewall: Rules - saved/edited a firewall rule."));
    $retval |= filter_configure();
    print_r($retval);
    
    

    Thanks a lot! Works well.


Log in to reply