[solved] Script to disable rules based on keyword
-
I'm trying to write a script to disable rules based on a keyword. So with this code:
global $config; $config = parse_config(true); print_r($config); exec; exitI figured that I could change the [filter][rule][0][disabled] variable to get the desired action, correct? What to change it to?
So what I did was a test and disabled a rule via the GUI, then inspected the [disabled] value, yet it still remained empty, I would have expected it to be set to "yes" or "true". Do I need to run a command to output the updated value with the above code?
-
The fact that the [disabled] 'exists' is enough to disable a rule you can set it to '= true' for example, to enable it again unset() that item and it will disapear from the config.
As seen here: https://github.com/pfsense/pfsense/blob/a512609213f2a8fd86c7515c9235e1760d7026ed/src/usr/local/www/firewall_rules_edit.php#L884
if ($_POST['disabled']) { $filterent['disabled'] = true; } else { unset($filterent['disabled']); }Then save the changed configuration: https://github.com/pfsense/pfsense/blob/a512609213f2a8fd86c7515c9235e1760d7026ed/src/usr/local/www/firewall_rules_edit.php#L1015
write_config(gettext("Firewall: Rules - saved/edited a firewall rule."))Other than that dont forget to 'apply' your new rules :).
https://github.com/pfsense/pfsense/blob/a512609213f2a8fd86c7515c9235e1760d7026ed/src/usr/local/www/firewall_rules.php#L172
With a call to:$retval |= filter_configure(); -
The fact that the [disabled] 'exists' is enough to disable a rule you can set it to '= true' for example, to enable it again unset() that item and it will disapear from the config.
As seen here: https://github.com/pfsense/pfsense/blob/a512609213f2a8fd86c7515c9235e1760d7026ed/src/usr/local/www/firewall_rules_edit.php#L884
if ($_POST['disabled']) { $filterent['disabled'] = true; } else { unset($filterent['disabled']); }Then save the changed configuration: https://github.com/pfsense/pfsense/blob/a512609213f2a8fd86c7515c9235e1760d7026ed/src/usr/local/www/firewall_rules_edit.php#L1015
write_config(gettext("Firewall: Rules - saved/edited a firewall rule."))Other than that dont forget to 'apply' your new rules :).
https://github.com/pfsense/pfsense/blob/a512609213f2a8fd86c7515c9235e1760d7026ed/src/usr/local/www/firewall_rules.php#L172
With a call to:$retval |= filter_configure();Thanks for the help, however, I'm testing this on one rule with the code that follows which is run from a bash script. I do see the [disabled] variable set, but do not see the rule updated in the web interface.
#!/bin/sh
A script to disable pfb_ rules
cat << EOF > /tmp/run2
require_once("filter.inc");
global $config;
$config = parse_config(true);
foreach ($config[filter][rule] as $value) {
if (strpos(strtolower($value[descr]), 'pfb_dnsbl_allow_access_to_vip') !== false) {
$value[disabled] = true;
#unset($value[disabled]);
print_r($value);
}
}
write_config(gettext("Firewall: Rules - saved/edited a firewall rule."));
$retval |= filter_configure();
print_r($retval);
exec;
exit
EOF -
There are a few issues i think :)
The code you have 'creates' a run2 file, but im not sure how you execute that.. Seemed to be missing the Not enough includes, the $value does not modify the original use &$value to keep the reference to the original array value that needs to be modified.I would probably create a php file /root/script.sh that can be directly executed when given execute permissions chmod +x /root/script.sh
Below code 'works for me' :) .#!/usr/local/bin/php-cgi -f require_once("globals.inc"); require_once("filter.inc"); require_once("util.inc"); require_once("config.inc"); global $config; $config = parse_config(true); foreach ($config[filter][rule] as &$value) { if (strpos(strtolower($value[descr]), 'pfb_dnsbl_allow_access_to_vip') !== false) { $value[disabled] = true; //unset($value[disabled]); print_r($value); } } write_config(gettext("Firewall: Rules - saved/edited a firewall rule.")); $retval |= filter_configure(); print_r($retval); -
There are a few issues i think :)
The code you have 'creates' a run2 file, but im not sure how you execute that.. Seemed to be missing the Not enough includes, the $value does not modify the original use &$value to keep the reference to the original array value that needs to be modified.I would probably create a php file /root/script.sh that can be directly executed when given execute permissions chmod +x /root/script.sh
Below code 'works for me' :) .#!/usr/local/bin/php-cgi -f require_once("globals.inc"); require_once("filter.inc"); require_once("util.inc"); require_once("config.inc"); global $config; $config = parse_config(true); foreach ($config[filter][rule] as &$value) { if (strpos(strtolower($value[descr]), 'pfb_dnsbl_allow_access_to_vip') !== false) { $value[disabled] = true; //unset($value[disabled]); print_r($value); } } write_config(gettext("Firewall: Rules - saved/edited a firewall rule.")); $retval |= filter_configure(); print_r($retval);Thanks a lot! Works well.