Created endpoint for reading and updating outbound NAT mode, create unit test for outbound NAT endpoint, updated docs

Author: Jared Hendrickson

README.md

@@ -515,6 +515,11 @@ There is no limit to API calls at this time but is important to note that pfSens
   * [Read NAT 1:1 Mappings](#3-read-nat-1:1-mappings)
   * [Update NAT 1:1 Mappings](#4-update-nat-1:1-mappings)
 
+* [FIREWALL/NAT/OUTBOUND](#firewallnatoutbound)
+
+  * [Read Outbound NAT Settings](#1-read-outbound-nat-settings)
+  * [Update Outbound NAT Settings](#2-update-outbound-nat-settings)
+
 * [FIREWALL/NAT/PORTFOWARD](#firewallnatportfoward)
 
   * [Create NAT Port Forwards](#1-create-nat-port-forwards)
@@ -1204,6 +1209,74 @@ URL: https://{{$hostname}}/api/v1/firewall/nat/port_forward
 
 
 
+## FIREWALL/NAT/OUTBOUND
+
+
+
+### 1. Read Outbound NAT Settings
+
+
+Read outbound NAT mode settings.<br><br>
+
+_Requires at least one of the following privileges:_ [`page-all`, `page-firewall-nat-outbound`]
+
+
+***Endpoint:***
+
+```bash
+Method: GET
+Type: RAW
+URL: https://{{$hostname}}/api/v1/firewall/nat/outbound
+```
+
+
+
+***Body:***
+
+```js        
+{
+    
+}
+```
+
+
+
+### 2. Update Outbound NAT Settings
+
+
+Update outbound NAT mode settings.<br><br>
+
+_Requires at least one of the following privileges:_ [`page-all`, `page-firewall-nat-outbound`]
+
+
+***Endpoint:***
+
+```bash
+Method: PUT
+Type: RAW
+URL: https://{{$hostname}}/api/v1/firewall/nat/outbound
+```
+
+
+
+***Query params:***
+
+| Key | Value | Description |
+| --- | ------|-------------|
+| mode | string | Update the outbound NAT mode. Options are `automatic` to automatically generate outbound NAT rules, `hybrid` to support both automatiic and manual outbound NAT rules , `advanced` to require all rules to be entered manually, or `disabled` to disable outbound NAT altogether. If updating to `advanced` from `automatic` or `hybrid`, the API will automatically create manual entries for each automatically generated outbound NAT entry. |
+
+
+
+***Body:***
+
+```js        
+{
+    
+}
+```
+
+
+
 ## FIREWALL/NAT/PORTFOWARD
 
 

docs/documentation.json

@@ -3220,6 +3220,110 @@
 								}
 							],
 							"description": "API endpoints that create, read, update and delete 1:1 NAT mappings.",
+							"event": [
+								{
+									"listen": "prerequest",
+									"script": {
+										"id": "b651d13f-bac6-4972-b51b-e809a66de831",
+										"type": "text/javascript",
+										"exec": [
+											""
+										]
+									}
+								},
+								{
+									"listen": "test",
+									"script": {
+										"id": "e47f7092-4987-458a-9712-e6073c33a4f7",
+										"type": "text/javascript",
+										"exec": [
+											""
+										]
+									}
+								}
+							],
+							"protocolProfileBehavior": {},
+							"_postman_isSubFolder": true
+						},
+						{
+							"name": "OUTBOUND",
+							"item": [
+								{
+									"name": "Read Outbound NAT Settings",
+									"protocolProfileBehavior": {
+										"disableBodyPruning": true
+									},
+									"request": {
+										"method": "GET",
+										"header": [],
+										"body": {
+											"mode": "raw",
+											"raw": "{\n    \n}",
+											"options": {
+												"raw": {
+													"language": "json"
+												}
+											}
+										},
+										"url": {
+											"raw": "https://{{$hostname}}/api/v1/firewall/nat/outbound",
+											"protocol": "https",
+											"host": [
+												"{{$hostname}}"
+											],
+											"path": [
+												"api",
+												"v1",
+												"firewall",
+												"nat",
+												"outbound"
+											]
+										},
+										"description": "Read outbound NAT mode settings.<br><br>\n\n_Requires at least one of the following privileges:_ [`page-all`, `page-firewall-nat-outbound`]"
+									},
+									"response": []
+								},
+								{
+									"name": "Update Outbound NAT Settings",
+									"request": {
+										"method": "PUT",
+										"header": [],
+										"body": {
+											"mode": "raw",
+											"raw": "{\n    \n}",
+											"options": {
+												"raw": {
+													"language": "json"
+												}
+											}
+										},
+										"url": {
+											"raw": "https://{{$hostname}}/api/v1/firewall/nat/outbound?mode=string",
+											"protocol": "https",
+											"host": [
+												"{{$hostname}}"
+											],
+											"path": [
+												"api",
+												"v1",
+												"firewall",
+												"nat",
+												"outbound"
+											],
+											"query": [
+												{
+													"key": "mode",
+													"value": "string",
+													"description": "Update the outbound NAT mode. Options are `automatic` to automatically generate outbound NAT rules, `hybrid` to support both automatiic and manual outbound NAT rules , `advanced` to require all rules to be entered manually, or `disabled` to disable outbound NAT altogether. If updating to `advanced` from `automatic` or `hybrid`, the API will automatically create manual entries for each automatically generated outbound NAT entry."
+												}
+											]
+										},
+										"description": "Update outbound NAT mode settings.<br><br>\n\n_Requires at least one of the following privileges:_ [`page-all`, `page-firewall-nat-outbound`]"
+									},
+									"response": []
+								}
+							],
+							"description": "API endpoints that create, read, update and delete outbound NAT settings.",
 							"protocolProfileBehavior": {},
 							"_postman_isSubFolder": true
 						},

pfSense-pkg-API/files/etc/inc/api/endpoints/APIFirewallNATOutbound.inc

@@ -0,0 +1,30 @@
+<?php
+//   Copyright 2020 Jared Hendrickson
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+
+require_once("api/framework/APIEndpoint.inc");
+
+class APIFirewallNATOutbound extends APIEndpoint {
+    public function __construct() {
+        $this->url = "/api/v1/firewall/nat/outbound";
+    }
+
+    protected function get() {
+        return (new APIFirewallNATOutboundRead())->call();
+    }
+
+    protected function put() {
+        return (new APIFirewallNATOutboundUpdate())->call();
+    }
+}

pfSense-pkg-API/files/etc/inc/api/framework/APIResponse.inc

@@ -1394,6 +1394,12 @@ function get($id, $data=[], $all=false) {
             "return" => $id,
             "message" => "1:1 NAT rule ID does not exist"
         ],
+        4085 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Invalid outbound NAT mode"
+        ],
 
         //5000-5999 reserved for /users API calls
         5000 => [

pfSense-pkg-API/files/etc/inc/api/models/APIFirewallNATOutboundRead.inc

@@ -0,0 +1,35 @@
+<?php
+//   Copyright 2020 Jared Hendrickson
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+
+require_once("api/framework/APIModel.inc");
+require_once("api/framework/APIResponse.inc");
+
+class APIFirewallNATOutboundRead extends APIModel {
+    # Create our method constructor
+    public function __construct() {
+        parent::__construct();
+        $this->privileges = ["page-all", "page-firewall-nat-outbound"];
+    }
+
+    public function action() {
+        # If default outbound NAT mode (auto) is configured, set a representation of this value since none is shown
+        if (empty($this->config["nat"]["outbound"]["mode"])) {
+            $this->validated_data = ["mode" => "automatic"];
+        } else {
+            $this->validated_data = ["mode" => $this->config["nat"]["outbound"]["mode"]];
+        }
+        return APIResponse\get(0, $this->validated_data);
+    }
+}

pfSense-pkg-API/files/etc/inc/api/models/APIFirewallNATOutboundUpdate.inc

@@ -0,0 +1,113 @@
+<?php
+//   Copyright 2020 Jared Hendrickson
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+
+require_once("api/framework/APIModel.inc");
+require_once("api/framework/APIResponse.inc");
+
+class APIFirewallNATOutboundUpdate extends APIModel {
+    private $modes;
+    private $current_mode;
+
+    # Create our method constructor
+    public function __construct() {
+        parent::__construct();
+        $this->privileges = ["page-all", "page-firewall-nat-outbound"];
+        $this->modes = ["automatic", "hybrid", "advanced", "disabled"];
+
+    }
+
+    public function action() {
+        # Create automatic rules if required, write to config and reload the filter
+        $this->create_automatic_rules();
+        $this->config["nat"]["outbound"]["mode"] = $this->validated_data["mode"];
+        $this->write_config();
+        filter_configure();
+
+        return APIResponse\get(0, $this->validated_data);
+    }
+
+    private function __get_default() {
+        # Default to the current configured value, if no value is configured default to automatic
+        $this->validated_data["mode"] = $this->config["nat"]["outbound"]["mode"];
+        if (empty($this->validated_data["mode"])) {
+            $this->validated_data["mode"] = "automatic";
+        }
+    }
+
+    private function __validate_mode() {
+        $this->current_mode = $this->validated_data["mode"];
+        # Optionally allow client to update the outbound NAT mode
+        if (isset($this->initial_data["mode"])) {
+            # Require the mode to be a supported outbound NAT mode
+            if (in_array($this->initial_data["mode"], $this->modes)) {
+                $this->validated_data["mode"] = $this->initial_data["mode"];
+            } else {
+                $this->errors[] = APIResponse\get(4085);
+            }
+        }
+    }
+
+    # Creates manual rule entries for auto created rules when switching from hybrid/automatic to advanced
+    public function create_automatic_rules() {
+        global $FilterIflist;
+        global $GatewaysList;
+
+        if ($this->validated_data["mode"] == "advanced" and in_array($this->current_mode, ["automatic", "hybrid"])) {
+            if (empty($FilterIflist)) {
+                filter_generate_optcfg_array();
+            }
+
+            if (empty($GatewaysList)) {
+                filter_generate_gateways();
+            }
+            $to_nat_hosts = filter_nat_rules_automatic_tonathosts(true);
+            $automatic_rules = filter_nat_rules_outbound_automatic("");
+
+            foreach ($to_nat_hosts as $to_nat_host) {
+                foreach ($automatic_rules as $nat_ent) {
+                    $nat_ent['source']['network'] = $to_nat_host['subnet'];
+                    $nat_ent['descr'] .= sprintf(gettext(' - %1$s to %2$s'),
+                        $to_nat_host['descr'],
+                        convert_real_interface_to_friendly_descr($nat_ent['interface']));
+                    $nat_ent['created'] = make_config_revision_entry(null, gettext("Manual Outbound NAT Switch"));
+
+                    if ($this->__is_duplicate_rule($nat_ent) === false) {
+                        $this->config["nat"]["outbound"]["rule"][] = $nat_ent;
+                    }
+                }
+            }
+            unset($FilterIflist, $GatewaysList);
+        }
+    }
+
+    # Checks if this outbound NAT entry is a duplicate. Returns true or false.
+    private function __is_duplicate_rule($nat_ent) {
+        foreach ($this->config["nat"]["outbound"]["rule"] as $rule) {
+            if ($rule['interface'] == $nat_ent['interface'] &&
+                $rule['source']['network'] == $nat_ent['source']['network'] &&
+                $rule['dstport'] == $nat_ent['dstport'] &&
+                $rule['target'] == $nat_ent['target'] &&
+                $rule['descr'] == $nat_ent['descr']) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    public function validate_payload() {
+        $this->__get_default();
+        $this->__validate_mode();
+    }
+}