pfrest · jaredhendrickson13 · Feb 9, 2021 · Feb 8, 2021 · Feb 8, 2021 · Feb 9, 2021
diff --git a/pfSense-pkg-API/files/etc/inc/api/framework/APIQuery.inc b/pfSense-pkg-API/files/etc/inc/api/framework/APIQuery.inc
@@ -117,6 +117,8 @@ class APIQuery {
                                 return $this->gt($entry[$q], $value);
                             case "gte":
                                 return $this->gte($entry[$q], $value);
+                            case null:
+                                return ($entry[$q] === $value);
                             default:
                                 return false;
                         }

diff --git a/pfSense-pkg-API/files/etc/inc/api/models/APIFirewallNATPortForwardCreate.inc b/pfSense-pkg-API/files/etc/inc/api/models/APIFirewallNATPortForwardCreate.inc
@@ -243,8 +243,10 @@ class APIFirewallNATPortForwardCreate extends APIModel {
 
     private function __init_config() {
         # Ensure our config is formatted for NAT rules
-        if (!is_array($this->config["nat"]["rule"])) {
+        if (!is_array($this->config["nat"])) {
             $this->config["nat"] = [];
+        }
+        if (!is_array($this->config["nat"]["rule"])) {
             $this->config["nat"]["rule"] = [];
         }
     }

diff --git a/pfSense-pkg-API/files/etc/inc/api/models/APIFirewallNATPortForwardUpdate.inc b/pfSense-pkg-API/files/etc/inc/api/models/APIFirewallNATPortForwardUpdate.inc
@@ -123,7 +123,15 @@ class APIFirewallNATPortForwardUpdate extends APIModel {
         if (isset($this->initial_data['src'])) {
             $rule_check = APITools\is_valid_rule_addr($this->initial_data['src'], "source");
             if ($rule_check["valid"]) {
+                # Retain the source port and update the source array
+                $origin_port = $this->validated_data["source"]["port"];
                 $this->validated_data["source"] = $rule_check["data"]["source"];
+
+                # If we had a source port, rewrite it
+                if (isset($origin_port)) {
+                    $this->validated_data["source"]["port"] = $origin_port;
+                }
+
             } else {
                 $this->errors[] = APIResponse\get(4011);
             }
@@ -135,7 +143,14 @@ class APIFirewallNATPortForwardUpdate extends APIModel {
         if (isset($this->initial_data['dst'])) {
             $rule_check = APITools\is_valid_rule_addr($this->initial_data['dst'], "destination");
             if ($rule_check["valid"]) {
+                # Retain the destination port and update the destination array
+                $origin_port = $this->validated_data["destination"]["port"];
                 $this->validated_data["destination"] = $rule_check["data"]["destination"];
+
+                # If we had a destination port, rewrite it
+                if (isset($origin_port)) {
+                    $this->validated_data["destination"]["port"] = $origin_port;
+                }
             } else {
                 $this->errors[] = APIResponse\get(4012);
             }

diff --git a/pfSense-pkg-API/files/etc/inc/api/models/APIFirewallRuleCreate.inc b/pfSense-pkg-API/files/etc/inc/api/models/APIFirewallRuleCreate.inc
@@ -249,6 +249,10 @@ class APIFirewallRuleCreate extends APIModel {
         $this->__validate_log();
         $this->__validate_top();
 
+        # Delay generating the tracker. Reduces the likelihood of two rules getting the same tracker in looped calls
+        # todo: this is a quick fix and still does not guarantee uniqueness, a better solution is needed
+        sleep(1);
+
         # Add our static 'tracker', 'created' and 'updated' values
         $this->validated_data["tracker"] = (int)microtime(true);
         $this->validated_data["created"] = [

diff --git a/pfSense-pkg-API/files/etc/inc/api/models/APIFirewallVirtualIPCreate.inc b/pfSense-pkg-API/files/etc/inc/api/models/APIFirewallVirtualIPCreate.inc
@@ -35,7 +35,7 @@ class APIFirewallVirtualIPCreate extends APIModel {
         APITools\apply_virtual_ip($this->validated_data);
         return APIResponse\get(0, $this->validated_data);
     }
-    
+
     public function validate_payload() {
 
         # Validate our required 'mode' payload value
@@ -105,7 +105,7 @@ class APIFirewallVirtualIPCreate extends APIModel {
         if ($this->validated_data["mode"] === "carp") {
             # Check for our optional 'vhid' payload value. Assume default if none was specified.
             if (isset($this->initial_data['vhid'])) {
-                if (vhid_exists($this->initial_data['vhid'])) {
+                if ($this->__vhid_exists($this->initial_data['vhid'])) {
                     $this->errors[] = APIResponse\get(4027);
                 } elseif (1 > $this->initial_data['vhid'] or $this->initial_data['vhid'] > 255) {
                     $this->errors[] = APIResponse\get(4028);
@@ -152,4 +152,15 @@ class APIFirewallVirtualIPCreate extends APIModel {
         # Set virtual IP type to network. This is easier to handle than allow single IPs too.
         $this->validated_data["type"] = "network";
     }
+
+    private function __vhid_exists($vhid) {
+        # Loop through each virtual IP and ensure it is not using the requested vhid
+        foreach ($this->config["virtualip"]["vip"] as $vip) {
+            if (intval($vhid) === intval($vip["vhid"])) {
+                return true;
+            }
+        }
+        return false;
+    }
+
 }
diff --git a/pfSense-pkg-API/files/etc/inc/api/models/APIFirewallVirtualIPUpdate.inc b/pfSense-pkg-API/files/etc/inc/api/models/APIFirewallVirtualIPUpdate.inc
@@ -105,7 +105,7 @@ class APIFirewallVirtualIPUpdate extends APIModel {
         if ($this->validated_data["mode"] === "carp") {
             # Check for our optional 'vhid' payload value. Assume default if none was specified.
             if (isset($this->initial_data['vhid'])) {
-                if (vhid_exists($this->initial_data['vhid'])) {
+                if ($this->__vhid_exists($this->initial_data['vhid'])) {
                     $this->errors[] = APIResponse\get(4027);
                 } elseif (1 > $this->initial_data['vhid'] or $this->initial_data['vhid'] > 255) {
                     $this->errors[] = APIResponse\get(4028);
@@ -152,4 +152,14 @@ class APIFirewallVirtualIPUpdate extends APIModel {
         # Set virtual IP type to network. This is easier to handle than allow single IPs too.
         $this->validated_data["type"] = "network";
     }
+
+    private function __vhid_exists($vhid) {
+        # Loop through each virtual IP and ensure it is not using the requested vhid
+        foreach ($this->config["virtualip"]["vip"] as $vip) {
+            if (intval($vhid) === intval($vip["vhid"]) and intval($vhid) !== intval($this->validated_data["vhid"])) {
+                return true;
+            }
+        }
+        return false;
+    }
 }
diff --git a/tests/test_api_v1_firewall_virtual_ip.py b/tests/test_api_v1_firewall_virtual_ip.py
@@ -39,6 +39,7 @@ class APIUnitTestFirewallVirtualIP(unit_test_framework.APIUnitTest):
             "interface": "wan",
             "subnet": "172.16.77.229/32",
             "password": "newtestpass",
+            "vhid": 25,
             "descr": "Updated unit Test"
         },
         {

diff --git a/tools/templates/Makefile.j2 b/tools/templates/Makefile.j2
@@ -2,7 +2,7 @@
 
 PORTNAME=pfSense-pkg-API
 PORTVERSION=1.1
-PORTREVISION=3
+PORTREVISION=4
 CATEGORIES=sysutils
 MASTER_SITES=# empty
 DISTFILES=# empty