Added dnpipe, pdnpipe, defaultqueue and ackqueue fields to firewall rule endpoints, prevented shapers from being deleted while in use, updated unit tests

Author: jaredhendrickson13

README.md

@@ -1801,6 +1801,10 @@ URL: https://{{$hostname}}/api/v1/firewall/rule
 | dstport | string or integer | Set the TCP and/or UDP destination port or port alias of the firewall rule. This is only necessary if you have specified the `protocol` to `tcp`, `udp`, `tcp/udp` |
 | gateway | string | Set the routing gateway traffic will take upon match (optional) |
 | sched | string | Set a firewall schedule to apply to this rule. This must be an existing firewall schedule name. (optional) |
+| dnpipe | string | Specify a traffic shaper limiter (in) queue for this rule. This must be an existing traffic shaper limiter or queue. This field is required if a `pdnpipe` value is provided.Ioptional) |
+| pdnpipe | string | Specify a traffic shaper limiter (out) queue for this rule. This must be an existing traffic shaper limiter or queue. This value cannot match the `dnpipe` value and must be a child queue if `dnpipe` is a child queue, or a parent limiiter if `dnpipe` is a parent limiter. (optional) |
+| defaultqueue | string | Specify a default traffic shaper queue to apply to this rule. This must be an existing traffic shaper queue name. This field is required when an `ackqueue` value is provided. (optional) |
+| ackqueue | string | Specify an acknowledge traffic shaper queue to apply to this rule. This must be an existing traffic shaper queue and cannot match the `defaultqueue` value. (optional) |
 | disabled | boolean | Disable the rule upon creation (optional) |
 | descr | string | Set a description for the rule (optional) |
 | log | boolean | Enabling rule matched logging (optional) |
@@ -1929,6 +1933,10 @@ URL: https://{{$hostname}}/api/v1/firewall/rule
 | dstport | string or integer | Update the TCP and/or UDP destination port or port alias of the firewall rule. This is only necessary if you have specified the `protocol` to `tcp`, `udp`, `tcp/udp` |
 | gateway | string | Update the routing gateway traffic will take upon match (optional) |
 | sched | string | Update the firewall schedule to apply to this rule. This must be an existing firewall schedule name. Provide an empty string to remove the configured schedule from the rule. (optional) |
+| dnpipe | string | Update the traffic shaper limiter (in) queue for this rule. This must be an existing traffic shaper limiter or queue. This field is required if a `pdnpipe` value is provided. To unset this value, pass in an empty string. This will also unset the existing `pdnpipe` value. (optional) |
+| pdnpipe | string | Update the traffic shaper limiter (out) queue for this rule. This must be an existing traffic shaper limiter or queue. This value cannot match the `dnpipe` value and must be a child queue if `dnpipe` is a child queue, or a parent limiiter if `dnpipe` is a parent limiter. To unset this value, pass in an empty string. (optional) |
+| defaultqueue | string | Update the default traffic shaper queue to apply to this rule. This must be an existing traffic shaper queue name. This field is required when an `ackqueue` value is provided. To unset this field, pass in an empty string. This will also unset the existing `ackqueue` value. (optional) |
+| ackqueue | string | Update acknowledge traffic shaper queue to apply to this rule. This must be an existing traffic shaper queue and cannot match the `defaultqueue` value. To unset this field, pass in an empty string. (optional) |
 | disabled | boolean | Disable the rule upon modification (optional) |
 | descr | string | Update the description of the rule (optional) |
 | log | boolean | Enable rule matched logging (optional) |

docs/documentation.json

@@ -2220,7 +2220,7 @@
 									}
 								},
 								"url": {
-									"raw": "https://{{$hostname}}/api/v1/firewall/rule?type=string&interface=string&ipprotocol=string&protocol=string&icmptype=string or array&src=string&dst=string&srcport=string or integer&dstport=string or integer&gateway=string&sched=string&disabled=boolean&descr=string&log=boolean&top=boolean&apply=boolean",
+									"raw": "https://{{$hostname}}/api/v1/firewall/rule?type=string&interface=string&ipprotocol=string&protocol=string&icmptype=string or array&src=string&dst=string&srcport=string or integer&dstport=string or integer&gateway=string&sched=string&dnpipe=string&pdnpipe=string&defaultqueue=string&ackqueue=string&disabled=boolean&descr=string&log=boolean&top=boolean&apply=boolean",
 									"protocol": "https",
 									"host": [
 										"{{$hostname}}"
@@ -2287,6 +2287,26 @@
 											"value": "string",
 											"description": "Set a firewall schedule to apply to this rule. This must be an existing firewall schedule name. (optional)"
 										},
+										{
+											"key": "dnpipe",
+											"value": "string",
+											"description": "Specify a traffic shaper limiter (in) queue for this rule. This must be an existing traffic shaper limiter or queue. This field is required if a `pdnpipe` value is provided.Ioptional)"
+										},
+										{
+											"key": "pdnpipe",
+											"value": "string",
+											"description": "Specify a traffic shaper limiter (out) queue for this rule. This must be an existing traffic shaper limiter or queue. This value cannot match the `dnpipe` value and must be a child queue if `dnpipe` is a child queue, or a parent limiiter if `dnpipe` is a parent limiter. (optional)"
+										},
+										{
+											"key": "defaultqueue",
+											"value": "string",
+											"description": "Specify a default traffic shaper queue to apply to this rule. This must be an existing traffic shaper queue name. This field is required when an `ackqueue` value is provided. (optional)"
+										},
+										{
+											"key": "ackqueue",
+											"value": "string",
+											"description": "Specify an acknowledge traffic shaper queue to apply to this rule. This must be an existing traffic shaper queue and cannot match the `defaultqueue` value. (optional)"
+										},
 										{
 											"key": "disabled",
 											"value": "boolean",
@@ -2333,7 +2353,7 @@
 									}
 								},
 								"url": {
-									"raw": "https://{{$hostname}}/api/v1/firewall/rule?tracker=string or Integer&type=string&interface=string&ipprotocol=string&protocol=string&icmptype=string or array&src=string&dst=string&srcport=string or integer&dstport=string or integer&gateway=string&sched=string&disabled=boolean&descr=string&log=boolean&top=boolean&apply=boolean",
+									"raw": "https://{{$hostname}}/api/v1/firewall/rule?tracker=string or Integer&type=string&interface=string&ipprotocol=string&protocol=string&icmptype=string or array&src=string&dst=string&srcport=string or integer&dstport=string or integer&gateway=string&sched=string&dnpipe=string&pdnpipe=string&defaultqueue=string&ackqueue=string&disabled=boolean&descr=string&log=boolean&top=boolean&apply=boolean",
 									"protocol": "https",
 									"host": [
 										"{{$hostname}}"
@@ -2405,6 +2425,26 @@
 											"value": "string",
 											"description": "Update the firewall schedule to apply to this rule. This must be an existing firewall schedule name. Provide an empty string to remove the configured schedule from the rule. (optional)"
 										},
+										{
+											"key": "dnpipe",
+											"value": "string",
+											"description": "Update the traffic shaper limiter (in) queue for this rule. This must be an existing traffic shaper limiter or queue. This field is required if a `pdnpipe` value is provided. To unset this value, pass in an empty string. This will also unset the existing `pdnpipe` value. (optional)"
+										},
+										{
+											"key": "pdnpipe",
+											"value": "string",
+											"description": "Update the traffic shaper limiter (out) queue for this rule. This must be an existing traffic shaper limiter or queue. This value cannot match the `dnpipe` value and must be a child queue if `dnpipe` is a child queue, or a parent limiiter if `dnpipe` is a parent limiter. To unset this value, pass in an empty string. (optional)"
+										},
+										{
+											"key": "defaultqueue",
+											"value": "string",
+											"description": "Update the default traffic shaper queue to apply to this rule. This must be an existing traffic shaper queue name. This field is required when an `ackqueue` value is provided. To unset this field, pass in an empty string. This will also unset the existing `ackqueue` value. (optional)"
+										},
+										{
+											"key": "ackqueue",
+											"value": "string",
+											"description": "Update acknowledge traffic shaper queue to apply to this rule. This must be an existing traffic shaper queue and cannot match the `defaultqueue` value. To unset this field, pass in an empty string. (optional)"
+										},
 										{
 											"key": "disabled",
 											"value": "boolean",

pfSense-pkg-API/files/etc/inc/api/framework/APIResponse.inc

@@ -2312,6 +2312,60 @@ function get($id, $data=[], $all=false) {
             "return" => $id,
             "message" => "Firewall traffic shaper limiter queue name does not exist"
         ],
+        4222 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Unknown firewall rule dnpipe or pdnpipe"
+        ],
+        4223 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Firewall rule dnpipe is required for pdnpipe"
+        ],
+        4224 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Firewall rule dnpipe and pdnpipe queues cannot be the same"
+        ],
+        4225 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Firewall rule dnpipe and pdnpip queue and a virtual interface cannot be selected"
+        ],
+        4226 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Unknown firewall rule default queue"
+        ],
+        4227 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Firewall rule default queue required for ackqueue"
+        ],
+        4228 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Unknown firewall rule ackqueue"
+        ],
+        4229 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Firewall rule default queue and ackqueue cannot be the same"
+        ],
+        4230 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Firewall traffic shaper child queue cannot be deleted while in use"
+        ],
 
         //5000-5999 reserved for /users API calls
         5000 => [

pfSense-pkg-API/files/etc/inc/api/models/APIFirewallRuleCreate.inc

@@ -223,6 +223,91 @@ class APIFirewallRuleCreate extends APIModel {
         }
     }
 
+    private function __validate_dnpipe() {
+        # Check for our optional 'dnpipe' payload value
+        if (isset($this->initial_data["dnpipe"])) {
+            # Load our dummynet config and fetch configured queues
+            read_dummynet_config();
+            $dnqueues = get_unique_dnqueue_list();
+
+            # Ensure this is a valid queue
+            if (array_key_exists($this->initial_data["dnpipe"], $dnqueues)) {
+                $this->validated_data["dnpipe"] = $this->initial_data["dnpipe"];
+            } else {
+                $this->errors[] = APIResponse\get(4222);
+            }
+        }
+    }
+
+    private function __validate_pdnpipe() {
+        # Check for our optional 'pdnpipe' payload value
+        if (isset($this->initial_data["pdnpipe"])) {
+            # Load our dummynet config and fetch configured queues
+            read_dummynet_config();
+            $dnqueues = get_unique_dnqueue_list();
+
+            # Only allow this setting if a dnpipe was set
+            if (isset($this->validated_data["dnpipe"])) {
+                # Ensure this is a valid queue
+                if (array_key_exists($this->initial_data["pdnpipe"], $dnqueues)) {
+                    # Ensure the dnpipe does not match the pdn pipe
+                    if ($this->initial_data["pdnpipe"] !== $this->validated_data["dnpipe"]) {
+                        # Determine pipe types
+                        $dnpipe_type = $dnqueues[$this->validated_data['dnpipe']][0];
+                        $pdnpipe_type = $dnqueues[$_POST['pdnpipe']][0];
+
+                        # Ensure the dnpipe and pdnpipe types do not match
+                        if (($dnpipe_type === "?" and $pdnpipe_type !== "?") or ($pdnpipe_type === "?" and $dnpipe_type !== "?")) {
+                            $this->validated_data["pdnpipe"] = $this->initial_data["pdnpipe"];
+                        } else {
+                            $this->errors[] = APIResponse\get(4225);
+                        }
+                    } else {
+                        $this->errors[] = APIResponse\get(4224);
+                    }
+                } else {
+                    $this->errors[] = APIResponse\get(4222);
+                }
+            } else {
+                $this->errors[] = APIResponse\get(4223);
+            }
+        }
+    }
+
+    private function __validate_defaultqueue() {
+        # Validate our optional 'defaultqueue' payload value
+        if (isset($this->initial_data["defaultqueue"])) {
+            # Require the value to be a known altq (traffic shaper) queue
+            if ($this->is_altq_queue($this->initial_data["defaultqueue"])) {
+                $this->validated_data["defaultqueue"] = $this->initial_data["defaultqueue"];
+            } else {
+                $this->errors[] = APIResponse\get(4226);
+            }
+        }
+    }
+
+    private function __validate_ackqueue() {
+        # Validate our optional 'ackqueue' payload value
+        if (isset($this->initial_data["ackqueue"])) {
+            # Only allow this field if a default queue was provided
+            if (isset($this->validated_data["defaultqueue"])) {
+                # Require the value to be a known altq (traffic shaper) queue
+                if ($this->is_altq_queue($this->initial_data["ackqueue"])) {
+                    # Ackqueue cannot match default queue
+                    if ($this->initial_data["ackqueue"] !== $this->validated_data["defaultqueue"]) {
+                        $this->validated_data["ackqueue"] = $this->initial_data["ackqueue"];
+                    } else {
+                        $this->errors[] = APIResponse\get(4229);
+                    }
+                } else {
+                    $this->errors[] = APIResponse\get(4228);
+                }
+            } else {
+                $this->errors[] = APIResponse\get(4227);
+            }
+        }
+    }
+
     private function __validate_disabled() {
         # Check for our optional 'disabled' payload value
         if ($this->initial_data['disabled'] === true) {
@@ -263,6 +348,10 @@ class APIFirewallRuleCreate extends APIModel {
         $this->__validate_dstport();
         $this->__validate_gateway();
         $this->__validate_sched();
+        $this->__validate_dnpipe();
+        $this->__validate_pdnpipe();
+        $this->__validate_defaultqueue();
+        $this->__validate_ackqueue();
         $this->__validate_disabled();
         $this->__validate_descr();
         $this->__validate_log();
@@ -283,6 +372,24 @@ class APIFirewallRuleCreate extends APIModel {
         $this->validated_data["updated"] = $this->validated_data["created"];
     }
 
+    public function is_altq_queue($name) {
+        # Local variables
+        read_altq_config();
+        $qlist = get_unique_queue_list();
+        $iflist = get_configured_interface_with_descr();
+        $list = [];
+
+        # Format interface queues
+        foreach ($qlist as $q => $qkey) {
+            if (isset($ifdisp[$q])) {
+                $list[$q] = $iflist[$q];
+            } else {
+                $list[$q] = $q;
+            }
+        }
+        return array_key_exists($name, $list);
+    }
+
     public function apply() {
         # Mark the firewall subsystem as changed, this will be cleared if applied
         mark_subsystem_dirty('filter');
@@ -293,4 +400,4 @@ class APIFirewallRuleCreate extends APIModel {
             clear_subsystem_dirty('filter');
         }
     }
-}
+}