Firewall – pfSense Shell : apply config modification without reboot

I'm currently trying to edit the configuration of a running pfSense in production with the pfSsh.php shell. By using the pfSsh.php shell I'm able to modify the configuration but once I write it, it isn't applied to the system.

Is there a way to force a configuration reload without rebooting the whole system ?

pfSense shell: $newIp['mode'] = 'ipalias';
pfSense shell: $newIp['interface'] = 'wan';
pfSense shell: $newIp['descr'] = 'vip1';
pfSense shell: $newIp['type'] = 'single';
pfSense shell: $newIp['subnet_bits'] = 24;
pfSense shell: $newIp['subnet'] = '192.168.0.241';
pfSense shell: $config['virtualip']['vip'][] = $newIp;
pfSense shell: parse_config(true);
pfSense shell: write_config();
pfSense shell: exec;

If I print the configuration, I can see that the vip is added :

     [virtualip] => Array
       (
           [vip] => Array
               (
                   [0] => Array
                       (
                           [mode] => ipalias
                           [interface] => wan
                           [uniqid] => 578aa9852a7bf
                           [descr] => test
                           [type] => single
                           [subnet_bits] => 24
                           [subnet] => 192.168.0.239
                       )

                   [1] => Array
                       (
                           [mode] => ipalias
                           [interface] => wan
                           [descr] => Unused IP
                           [type] => single
                           [subnet_bits] => 24
                           [subnet] => 192.168.0.241

But on the system, the vip isn't added until I reboot :

[2.3.1-RELEASE][admin@pfSense.localdomain]/root: ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
       ether 00:0c:29:22:55:0b
       inet6 fe80::20c:29ff:fe22:550b%em0 prefixlen 64 scopeid 0x1
       inet 192.168.0.240 netmask 0xffffff00 broadcast 192.168.0.255

EDIT :

Thanks to Chris answer I used the interface_ipalias_configure method which worked as expected. I put a simple looping example which add multiple vips from 192.168.0.74 to 79 to a CARP VIP, if it can help someone.

This php script is written /etc/phpshellsessions/myscript and executed through " pfSsh.php playback myscript" command in a remote console as admin.

$vipPrefix = '192.168.0.';
$vipNetmask = '24';

foreach($config['virtualip']['vip'] as $k => $value) {
   $tmp[] = $value['subnet'];
}

end($config['virtualip']['vip']);

$vID = key($config['virtualip']['vip']);

for ($i = 74; $i < 80; $i++) {

    $byte = strval($i);

    if ( ! in_array( $vipPrefix.$byte , $tmp )) {

        $vID++;
        $newIp['mode'] = 'ipalias';
        $newIp['interface'] = '_vip57cc61f85d2c8';
        $newIp['descr'] = $vipPrefix.$byte;
        $newIp['type'] = 'single';
        $newIp['subnet_bits'] = $vipNetmask;
        $newIp['subnet'] = $vipPrefix.$byte;
        $newIp['uniqid'] = uniqid();
        $config['virtualip']['vip'][$vID] = $newIp;
        parse_config(true);
        write_config();
        interface_ipalias_configure($config['virtualip']['vip'][$vID]);
    }
}

print_r($config['virtualip']['vip']);

exec;

Best Answer

What you're doing there is only changing the config. That much of it's correct, but then you need to apply those changes.

For the case of VIPs, check what firewall_virtual_ip.php does when you apply changes. https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/firewall_virtual_ip.php#L48

Do that in your code after doing the write_config.

Best Answer

Related Solutions

Stuck shell ESXi 4.0 – how to recover without reboot

OpenVPN Site2Site using PFSense

Related Topic