auth

script add_user.php

Params

• $argvarray

  • -h show this help text and exit”

  • -u [required] username”

  • -o origin (default=automation)”

Returns

• str

  • echos the status of the operation

script list_group_members.php

Retrieves a list of system groups and their corresponding members.

Returns

• string

• A JSON-encoded array containing system groups as keys and their details as values, including group name and member list.

dhcp

script cleanup_leases4.php

Cleans up DHCP leases by removing expired or unwanted leases.

This script reads the DHCP lease file, removes leases that match the specified criteria, and writes the updated lease file.

Params

• $argsvarray

  • -h : Show help text and exit.

  • -m : Remove static MAC addresses.

  • -s : Restart the DHCP service (required when the service is active).

  • -d=xxx : Remove the specified IP address.

  • -f=dhcpd.leases : Specify the DHCP lease file (default: /var/dhcpd/var/db/dhcpd.leases).

Arguments

• dhcp_lease_file : string - The path to the DHCP lease file (default: /var/dhcpd/var/db/dhcpd.leases).

• opts : array - An array of command-line options.

• addresses : array - An array of IP addresses to remove.

Returns

• A JSON-encoded array with the number of removed leases.

Options

script cleanup_leases6.php

Cleans up DHCPv6 leases by removing expired or unwanted leases.

This script reads the DHCPv6 lease file, removes leases that match the specified criteria, and writes the updated lease file.

Params

• argsvarray

  • -h : Show help text and exit.

  • -s : Restart the DHCPv6 service (required when the service is active).

  • -d=xxx : Remove the specified IPv6 address.

  • -f=dhcpd6.leases : Specify the DHCPv6 lease file (default: /var/dhcpd/var/db/dhcpd6.leases).

Arguments

• dhcp_lease_file : string - The path to the DHCPv6 lease file (default: /var/dhcpd/var/db/dhcpd6.leases).

• opts : array - An array of command-line options.

• ip_to_remove : string - The IPv6 address to remove.

Returns

• A JSON-encoded array with the number of removed leases.

script dnsmasq_watcher.py

Parameters

• domainstr

  • Description: default domain to use

  • options : [’–domain’]

  • default : local

  • required : False

• pidstr

  • Description: pid file location

  • options : [’–pid’]

  • default : /var/run/dnsmasq_dhcpd.pid

  • required : False

• servicepidstr

  • Description: dnsmasq pid file location

  • options : [’–servicepid’]

  • default : /var/run/dnsmasq.pid

  • required : False

• sourcestr

  • Description: source leases file

  • options : [’–source’]

  • default : /var/dhcpd/var/db/dhcpd.leases

  • required : False

• targetstr

  • Description: target config file

  • options : [’–target’]

  • default : /var/etc/dnsmasq-leases

  • required : False

script get_kea_leases.py

Parameters

• protostr

  • Description: protocol to fetch (inet, inet6)

  • options : [’–proto’]

  • default : inet

  • choices : [‘inet’]

  • required : False

script prefixes.sh

Watches for changes in the DHCPv6 leases file and updates the configuration.

It uses the md5 command to calculate the checksum of the leases file. If the checksum changes, it updates the DHCPv6 configuration using the configctl command. Thescript runs indefinitely and checks for changes at the specified interval.

Params

• ${1}int

  • INTERVAL: The interval in seconds to check for changes (default: 20).

Notes

• Thisscript assumes that the necessary commands (md5, configctl) are available.

• Thescript uses the /var/dhcpd/var/db/dhcpd6.leases file to store the DHCPv6 leases.

script prefixes.sh

Watches for changes in the DHCPv6 leases file and updates the configuration.

It uses the md5 command to calculate the checksum of the leases file. If the checksum changes, it updates the DHCPv6 configuration using the configctl command. Thescript runs indefinitely and checks for changes at the specified interval.

Params

• ${1}int

  • INTERVAL: The interval in seconds to check for changes (default: 20).

Notes

• Thisscript assumes that the necessary commands (md5, configctl) are available.

• Thescript uses the /var/dhcpd/var/db/dhcpd6.leases file to store the DHCPv6 leases.

dns

script query_dns.py

Parameters

• domainstr

  • Description: domain name to query

  • options : []

  • required : True

• typesstr

  • Description: list of types to query (when querying hostnames)

  • options : [’–types’]

  • default : A,AAAA,MX,TXT

  • required : False

• serverstr

  • Description: server to query

  • options : [’–server’]

  • required : False

filter

script kill_states.py

Parameters

• filterstr

  • Description: filter results

  • options : [’–filter’]

  • default :

  • required : False

• labelstr

  • Description: label / rule id

  • options : [’–label’]

  • default :

  • required : False

script list_states.py

Parameters

• filterstr

  • Description: filter results

  • options : [’–filter’]

  • default :

  • required : False

• labelstr

  • Description: label / rule id

  • options : [’–label’]

  • default :

  • required : False

• limitstr

  • Description: limit number of results

  • options : [’–limit’]

  • default :

  • required : False

• offsetstr

  • Description: offset results

  • options : [’–offset’]

  • default :

  • required : False

• sort_bystr

  • Description: sort by (field asc|desc)

  • options : [’–sort_by’]

  • default :

  • required : False

script rollback_cancle.php

This script is used to cancel a rollback operation by deleting the corresponding lock file.

The script assumes that the lock file is in the format “/tmp/filter_<revision>.lock”.

Params

• argsv[0]int

  • (optional): The revision number to cancel

Flow

• Checks if a revision number is provided as a command-line argument

• If a revision number is provided, checks if a lock file exists for that revision

• If the lock file exists, deletes it and exits with a success code (0)

• If no revision number is provided or the lock file does not exist, exits with a failure code (1)

Outputs

• Exit code: 0 (success) or 1 (failure)

script rollback_timer.php

A script to manage the rollback timer for firewall filter changes.

It uses the OPNsenseFirewallFilter class to manage firewall filter changes. It is used to manage the rollback timer for firewall filter changes.

Params

• argsv[0]int

  • (optional): The revision number to cancel

Functions

• OPNsenseFirewallFilter::rollback($revision): Rolls back to the specified revision

• OPNsenseCoreBackend::configdRun($command): Runs a command on the backend

Flow

• Checks the command-line arguments for the revision number

• Creates a lock file for the revision

• Waits for 60 seconds for the API to callback

• If the lock file is deleted, exits with success

• If the lock file still exists, rolls back to the specified revision

• Reloads the firewall filter configuration if the rollback is successful

script update_bogons.sh

Updates the bogons files for IPv4 and IPv6.

It downloads the latest bogons files from the OPNsense repository, verifies their integrity, and extracts them to a temporary directory. Thescript then updates the bogons tables in the pf firewall configuration. If the update is successful, thescript logs a success message.

Params

• ${1}str

  • COMMAND: The command to execute (e.g. “cron”).

Notes

• Thisscript assumes that the necessary commands (opnsense-update, fetch, tar, pfctl, logger) are available.

• Thescript uses the /usr/local/etc directory to store the bogons files.

firmware

script changelog.sh

Executes the main functionality of the changelog management program.

Params

• ${1}str

  • Command to execute (fetch, cron, remove, list, url, html, text)

• ${2}str (optional)

  • Version number (required for html and text commands)

Returns

• int

  • Exit status of thescript (0 for success, non-zero for failure)

Commands

• fetch : Fetches the latest changelog from the remote repository.

• cron : Fetches the latest changelog from the remote repository, pausing for at least 10 minutes spread out over the next 12 hours.

• remove : Removes all changelog files from the destination directory.

• list : Lists the contents of the index.json file.

• url : Prints the URL of the remote changelog repository.

• html : Prints the HTML changelog for the specified version.

• text : Prints the text changelog for the specified version.

script env_init.sh

Initializes the environment for OPNsense firmware operations.

It checks if the OPNsense update is available and if so, sets environment variables to disable TLS versions below 1.3, refreshes CRL files, and tells libfetch to verify from the trust store.

script connection.sh

Checks connectivity to OPNsense servers and verifies server certificates.

It uses the opnsense-update commands to determine the URLs of the servers, and then checks connectivity to these servers over IPv4 and IPv6. Finally, it verifies the server certificates.

script details.sh

Queries package information.

It takes a package name as an argument and uses the pkg rquery command to retrieve information about the package. Thescript outputs the package name, version, and maintainer.

Params

• ${1}str

  • The package to query.

script health.sh

Performs a health audit on the system.

It checks the root file system, kernel, base system, repositories, plugins, locked packages, and package dependencies. It also checks for missing or altered package files. The audit results are logged to a file.

Params

• ${1}: str

  • Optional command to specify which audit to perform.

  • Possible values: kernel, base, repos, plugins, locked, packages, core

Functions

• set_check: Checks the version and consistency of a package.

• core_check: Checks the consistency of the core packages.

script hostnames.sh

Retrieves the hosts of the repositories configured on the system.

It uses the opnsense-verify command to get the list of repositories, and then parses the repository configuration files to extract the URLs. It filters out non-HTTPS URLs and extracts the host from the remaining URLs. The unique hosts are then printed to the console.

Returns

• A list of unique hosts of the repositories.

script install.sh

Installs a package on the system. It checks if the package is a core package and if so, it checks if the core package is up-to-date. If the core package is not up-to-date, it exits and displays an error message. Otherwise, it installs the package using the pkg command and logs the output to a lockfile. After installation, it runs the register.php`script to register the package and then runs `pkg autoremove to remove any unnecessary packages.

Params

• ${1}str

  • Name of the package to install.

Notes - Thisscript uses the opnsense-version command to get the current version of the system.

• Thisscript uses the pkg command to install and manage packages.

• Thisscript uses the `register.php`script to register the package.

• Thisscript logs all output to a lockfile.

script latest.php

Retrieves the latest stable version of OPNsense by parsing the changelog file.

Params- arsv[1]str

• Path to the changelog file (default: /usr/local/opnsense/changelog/index.json)

Returns

• string

• The latest stable version of OPNsense, or the current version if unknown.

script firmware_runner.sh

Runs a firmwarescript.

It supports various options, such as specifying ascript, setting a random delay, and enabling verbose mode. Thescript uses a lock file to ensure that only onescript is run at a time.

Params

• r: int

  • Optional: Sets a random delay before running thescript.

• s: str

  • Optional: Specifies thescript to run.

• u: bool

  • Optional: Runs thescript without a lock file.

• V: bool

  • Optional: Enables verbose mode.

Returns

• int

  • The return value of the runscript.

Notes - Thisscript uses the flock function to manage the lock file.

• Thescript uses the jot function to generate a random delay.

script license.sh

Displays the license information for a package.

It uses the pkg command to query the package database and retrieve the license information. Thescript then displays the license text for each license found.

Params

• ${1}str

  • The name of the package to display the license information for.

Notes

• Thisscript assumes that the license files are stored in the ${LICENSEDIR} directory.

• Thescript uses the ${PKG} command to query the package database.

script lock.sh

Locks a package to prevent updates.

It uses the opnsense-update command to lock the base or kernel set, or the pkg command to lock a specific package. Thescript logs its actions to a lock file.

Params

• ${1}str

  • The name of the package to lock.

Notes

• Thisscript assumes that the lock file is stored in the ${LOCKFILE} directory.

• Thescript uses the opnsense-version command to retrieve the current version of the system.

script plugin.sh

Checks if a plugin is installed.

It uses the opnsense-version command to check if the plugin is installed, either in stable or development version. Thescript returns 0 if the plugin is not installed, and 1 if it is installed.

Params

• ${1}str

  • PLUGIN: The name of the plugin to check.

Returns

• int

  • 0 if the plugin is not installed, 1 if it is installed.

Notes

• Thisscript assumes that the opnsense-version command is available.

script product.php

A script to retrieve and display product information.

This script uses the json_decode, file_get_contents, shell_safe, date, filemtime, explode, sort, implode, and json_encode functions to retrieve and display the product information. The script assumes that the product metadata file and license file are in the correct format and location.

Arguments

• $metafile: The path to the product metadata file

• $licensefile: The path to the product license file

• $ret: The array to store the product information

Functions

• json_decode(string $json, bool $assoc): Decodes a JSON string into a PHP array

• file_get_contents(string $filename): Reads the contents of a file

• shell_safe(string $command): Executes a shell command and returns the output

• date(string $format, int $timestamp): Formats a timestamp into a human-readable date string

• filemtime(string $filename): Returns the last modification time of a file

• explode(string $delimiter, string $string): Splits a string into an array using a delimiter

• sort(array &$array): Sorts an array in ascending order

• implode(string $delimiter, array $array): Joins an array into a string using a delimiter

• json_encode(array $array, int $flags): Encodes a PHP array into a JSON string

Flow

• Reads the product metadata file and decodes the JSON contents into an array

• Retrieves the latest product version, mirror URL, and timestamp

• Retrieves the list of repositories and sorts them in ascending order

• Checks if there are any pending updates and retrieves the update log

• Retrieves the license information from the license file (if available)

• Sorts the product information array in ascending order

• Encodes the product information array into a JSON string and outputs it

Outputs

• A JSON string containing the product information

script query.sh

Retrieves version information for OPNsense.

It uses the opnsense-version command to retrieve version information for the base and kernel sets. It also uses the pkg command to retrieve package information. Thescript supports three modes:

• local: Retrieves version information for the local OPNsense installation.

• remote: Retrieves version information from a remote repository.

• tiers: Retrieves product tier annotations from a remote repository.

Params

• ${1}str

  • MODE: The mode to retrieve version information (local, remote, tiers).

Returns

• str - The version information in a formatted string.

Notes

• Thisscript assumes that the necessary commands (opnsense-version, pkg) are available.

• Thescript uses the /usr/local/opnsense/scripts/firmware/config.sh file to configure the OPNsense environment.

script read.sh

Retrieves the lock file for a package.

It checks if the lock file exists and prints its content. The lock file is assumed to be located at the ${LOCKFILE} directory.

Returns

• str - The lock file content.

Notes

• Thisscript assumes that the necessary commands (cat, sed) are available.

• Thescript uses the /usr/local/opnsense/scripts/firmware/config.sh file to configure the OPNsense environment.

script reboot.sh

Provides a hint to the console to reboot the system.

It checks if an update to the OPNsense core package is available and if the system needs to be rebooted. Thescript uses the pkg command to query the package database and the opnsense-update command to check for updates. If an update is available, thescript prints the next version number and exits with a status code of 0. If no update is available, thescript exits with a status code of 1.

Returns

• int - 0 if a reboot is not necessary, 1 if a reboot is necessary.

Notes

• Thisscript assumes that the necessary commands (pkg, opnsense-update, pluginctl) are available.

• Thescript uses the /usr/local/opnsense/scripts/firmware/config.sh file to configure the OPNsense environment.

script register.php

A script to manage plugin registration.

This script uses the Config class to manage the plugin configuration.

The script assumes that the plugin metadata is stored in JSON files on disk. This script is used to manage plugin registration and updates.

Arguments

• $action (optional): The action to perform (install, remove, sync, resync)

• $name (optional): The name of the plugin to install or remove

Functions

• plugins_config_get($config): Returns the current plugin configuration

• plugins_config_set($config, $plugins): Sets the plugin configuration

• plugins_disk_found($name): Checks if a plugin is found on disk

• plugins_disk_get(): Returns a list of plugins found on disk

Flow

• Checks the command-line arguments for the action and plugin name

• Initializes the plugin configuration and disk plugins

• Performs the specified action (install, remove, sync, resync)

• Updates the plugin configuration if necessary

script reinstall.sh

Reinstalls a package on the OPNsense system.

It checks if the package is the base or kernel package and performs the necessary actions. If the package is a plugin, it reverts the plugin to its original state and reinstalls it. Thescript uses the opnsense-update command to update the package and the opnsense-revert command to revert the plugin. If a reboot is necessary, thescript initiates a reboot after a short delay.

Params

• ${1}str

  • PACKAGE: The name of the package to reinstall (base, kernel, or a plugin name).

Notes

• Thisscript assumes that the necessary commands (opnsense-update, opnsense-revert, pkg, rc.reboot) are available.

• Thescript uses the /usr/local/opnsense/scripts/firmware/config.sh file to configure the OPNsense environment.

script remove.sh

Removes a package from the OPNsense system.

It uses the pkg command to remove the package and the register.php`script to update the package registration. Thescript also runs the `pkg autoremove command to remove any unnecessary dependencies. Thescript logs its actions to the ${LOCKFILE} file.

Params

• ${1}str

  • PACKAGE: The name of the package to remove.

Notes

• Thisscript assumes that the necessary commands (pkg, register.php) are available.

• Thescript uses the /usr/local/opnsense/scripts/firmware/config.sh file to configure the OPNsense environment.

script resync.sh

Resynchronizes the OPNsense system with the latest configuration.

It uses the register.php`script to perform the resynchronization and logs its actions to the `${LOCKFILE} file.

Notes

• Thisscript assumes that the necessary commands (opnsense-version, register.php) are available.

• Thescript uses the /usr/local/opnsense/scripts/firmware/config.sh file to configure the OPNsense environment.

• Thescript clears the ${LOCKFILE} file before starting the resynchronization.

script running.sh

Checks if the OPNsense system is currently locked for updates.

It uses the flock command to check if the lock file is available.

Returns

• “ready” if the system is not locked

• “busy” if the system is locked

Notes

• Thisscript assumes that the necessary commands (flock) are available.

• Thescript uses the /usr/local/opnsense/scripts/firmware/config.sh file to configure the OPNsense environment.

• Thescript uses the ${LOCKFILE} file to store the lock information.

script security.sh

Performs a security audit on the OPNsense system.

It uses the pkg command to run the audit and logs its actions to the ${LOCKFILE} file.

Notes

• Thisscript assumes that the necessary commands (pkg, opnsense-version) are available.

• Thescript uses the /usr/local/opnsense/scripts/firmware/config.sh file to configure the OPNsense environment.

• Thescript clears the ${LOCKFILE} file before starting the audit.

script sync.sh

Synchronizes the OPNsense system with the latest configuration.

It uses the sync.subr.sh`script to perform the synchronization and logs its actions to the `${LOCKFILE} file.

Notes

• Thisscript assumes that the necessary commands (opnsense-version, sync.subr.sh) are available.

• Thescript uses the /usr/local/opnsense/scripts/firmware/config.sh file to configure the OPNsense environment.

script unlock.sh

Unlocks a package or set on the OPNsense system.

It uses the opnsense-update command to unlock the base or kernel sets, and the pkg command to unlock other packages. Thescript logs its actions to the ${LOCKFILE} file.

Params

• ${1}str

  • PACKAGE: The name of the package or set to unlock.

Notes

• Thisscript assumes that the necessary commands (opnsense-update, pkg) are available.

• Thescript uses the /usr/local/opnsense/scripts/firmware/config.sh file to configure the OPNsense environment.

script update.sh

Updates the OPNsense system to the latest version.

It uses the opnsense-update command to perform the update and the rc.restart_webgui command to restart the web server. Thescript also uses the tee command to log the output to the ${LOCKFILE} file. If the update is successful, thescript initiates a reboot after a short delay if necessary.

Params

• {1}str

  • CMD: The command to execute (e.g. “sync”).

Notes

• Thisscript assumes that the necessary commands (opnsense-update, rc.restart_webgui, tee, rc.reboot) are available.

• Thescript uses the /usr/local/opnsense/scripts/firmware/config.sh file to configure the OPNsense environment.

script upgrade.sh

Upgrades the OPNsense system to the latest version.

It uses the opnsense-update command to perform the upgrade and the rc.syshook command to execute system hooks. Thescript also uses the tee command to log the output to the ${LOCKFILE} file. If the upgrade is successful, thescript initiates a reboot after a short delay.

Notes

• Thisscript assumes that the necessary commands (opnsense-update, rc.syshook, tee, rc.reboot) are available.

• Thescript uses the /usr/local/opnsense/scripts/firmware/config.sh file to configure the OPNsense environment.

repos

script FreeBSD.php

Disables the FreeBSD repository to avoid breakage.

This script ensures that the FreeBSD repository is disabled by copying the sample configuration file over the active configuration file.

Arguments

• conf : string

• The path to the FreeBSD repository configuration file.

Actions

• Copies the sample configuration file ($conf . ‘.sample’) over the active configuration file ($conf).

script OPNsense.php

Updates the OPNsense configuration based on the system settings.

It also checks for a subscription key and appends the URL suffix if present. If no subscription key is set, the license file is deleted.

Params

• argsvarray

  • -A: specifies the ABI (Architecture-Based Interface) to use

  • -m: specifies the mirror URL to use

  • -n: specifies the flavour to use

health

script updaterrd.php

This script updates the RRD (Round-Robin Database) statistics for OPNsense.

It uses the OPNsenseCoreConfig class to retrieve the RRD configuration. It also uses the OPNsenseRRDFactory class to collect and update the RRD statistics. The script checks if the RRD statistics are enabled and if the /var/db/rrd directory exists. If debug mode is enabled, the script outputs the total runtime and collection time.

Params

• $argvarray

  -hbool

  • Display help message and exit.

  -dbool

  • Enable debug mode, output errors to stdout.

Returns

• int

• 0 on success, non-zero on failure.

definitions

interfaces

• #!/usr/local/bin/php

script carp_global_status.php

This script checks the CARP (Common Address Redundancy Protocol) configuration and returns a JSON response with the current status.

Arguments

• a_vip : array - An array of virtual IP addresses.

• carpcount : int - The number of CARP interfaces found.

• response : array - An array containing the CARP status information.

Returns

• A JSON-encoded array with the CARP status information.

script carp_set_status.php

Manages CARP (Common Address Redundancy Protocol) configuration and state.

This script performs actions on the CARP configuration, such as entering or leaving maintenance mode, disabling or enabling CARP, and configuring interfaces.

Params

• argsv[0]str

  • The action to perform (maintenance, disable, enable).

Arguments

• a_vip : array - An array of virtual IP addresses.

• config : array - The system configuration array.

Returns

• A JSON-encoded array with the result of the action.

script ifctl.sh

Configures and manages interface settings.

It supports various modes, including nameserver, prefix, router, and searchdomain. It also supports IPv4 and IPv6 address families. Thescript can perform various actions, including clearing, flushing, dumping, and listing interface settings.

Params

• CMD: str

  Optional command to specify the action to perform. Possible values: -c, -d, -f, -l, -O

• IF: str

  Interface name.

• MD: str

  Mode to operate in. Possible values: nameserver, prefix, router, searchdomain

• AF: str

  Address family. Possible values: inet, inet6

• EX: str

  Extension to append to the file name.

• DO_CONTENTS: str

  Contents to write to the file.

• DO_VERBOSE: str

  Flag to enable verbose mode.

Functions

• flush_routes: Flushes routes for the specified interface and mode.

• flush_slaac: Flushes SLAAC addressing for the specified interface.

Notes - Thisscript uses temporary files to store interface settings.

• Thescript uses the route command to manipulate routes.

• Thescript uses the ifconfig command to manipulate interface settings.

• This Script uses getopts to parse command-line options:

  • getopts: getopts optstring name [arg …]

  • Getopts is used by shell procedures to parse positional parameters as options.

script reconfigure_gifs.php

A script to reconfigure GIF interfaces.

This script uses the file_exists, filesize, fopen, flock, fread, fwrite, ftruncate, explode, trim, and other functions to interact with the file system and configure the GIF interfaces.

Arguments

• $gifs_todo: An array to store the GIF interfaces to reconfigure

• $vfilename: The path to the file containing the GIF interfaces to reconfigure

• $gif_configure: An array to store the GIF interfaces to reconfigure

• $ifdetails: An array to store the interface details

Functions

• file_exists(string $filename): Checks if a file exists

• filesize(string $filename): Returns the size of a file

• fopen(string $filename, string $mode): Opens a file pointer

• flock(resource $handle, int $operation): Locks or unlocks a file

• fread(resource $handle, int $length): Reads from a file pointer

• fwrite(resource $handle, string $string): Writes to a file pointer

• ftruncate(resource $handle, int $size): Truncates a file to a specified size

• explode(string $delimiter, string $string): Splits a string into an array using a delimiter

• trim(string $string): Removes whitespace from a string

• OPNsenseInterfacesGif()->gif->iterateItems(): Iterates over the GIF interfaces

• legacy_interface_destroy(string $interface): Destroys a legacy interface

• legacy_interfaces_details(): Returns the interface details

• interfaces_addresses_flush(string $interface, int $family, array $ifdetails): Flushes addresses from an interface

• _interfaces_gif_configure(array $gif): Configures a GIF interface

• interfaces_restart_by_device(bool $force, array $interfaces): Restarts interfaces

Flow

• Reads the file containing the GIF interfaces to reconfigure

• Collects the GIF interfaces to reconfigure

• Removes non-existing interfaces

• Reconfigures the still existing GIF interfaces

• Removes addresses from the interfaces (if necessary)

• Configures the GIF interfaces

• Re-applies additional addresses and hooks routing (if necessary)

/

script reconfigure_gres.php

A script to reconfigure GRE interfaces.

This script uses the file_exists, filesize, fopen, flock, fread, fwrite, ftruncate, explode, trim, and other functions to interact with the file system and configure the GRE interfaces

Arguments

• $gres_todo: An array to store the GRE interfaces to reconfigure

• $vfilename: The path to the file containing the GRE interfaces to reconfigure

• $gre_configure: An array to store the GRE interfaces to reconfigure

• $ifdetails: An array to store the interface details

Functions

• file_exists(string $filename): Checks if a file exists

• filesize(string $filename): Returns the size of a file

• fopen(string $filename, string $mode): Opens a file pointer

• flock(resource $handle, int $operation): Locks or unlocks a file

• fread(resource $handle, int $length): Reads from a file pointer

• fwrite(resource $handle, string $string): Writes to a file pointer

• ftruncate(resource $handle, int $size): Truncates a file to a specified size

• explode(string $delimiter, string $string): Splits a string into an array using a delimiter

• trim(string $string): Removes whitespace from a string

• OPNsenseInterfacesGre()->gre->iterateItems(): Iterates over the GRE interfaces

• legacy_interface_destroy(string $interface): Destroys a legacy interface

• legacy_interfaces_details(): Returns the interface details

• interfaces_addresses_flush(string $interface, int $family, array $ifdetails): Flushes addresses from an interface

• _interfaces_gre_configure(array $gre): Configures a GRE interface

• interfaces_restart_by_device(bool $force, array $interfaces): Restarts interfaces

Flow

• Reads the file containing the GRE interfaces to reconfigure

• Collects the GRE interfaces to reconfigure

• Removes non-existing interfaces

• Reconfigures the still existing GRE interfaces

• Removes addresses from the interfaces (if necessary)

• Configures the GRE interfaces

• Re-applies additional addresses and hooks routing (if necessary)

script reconfigure_laggs.php

A script to reconfigure LAGG interfaces.

This script uses the file_exists, filesize, fopen, flock, fread, fwrite, ftruncate, explode, trim, and other functions to interact with the file system and configure the LAGG interfaces

Arguments

• $laggs_todo: An array to store the LAGG interfaces to reconfigure

• $vfilename: The path to the file containing the LAGG interfaces to reconfigure

• $lagg_configure: An array to store the LAGG interfaces to reconfigure

Functions

• file_exists(string $filename): Checks if a file exists

• filesize(string $filename): Returns the size of a file

• fopen(string $filename, string $mode): Opens a file pointer

• flock(resource $handle, int $operation): Locks or unlocks a file

• fread(resource $handle, int $length): Reads from a file pointer

• fwrite(resource $handle, string $string): Writes to a file pointer

• ftruncate(resource $handle, int $size): Truncates a file to a specified size

• explode(string $delimiter, string $string): Splits a string into an array using a delimiter

• trim(string $string): Removes whitespace from a string

• OPNsenseInterfacesLagg()->lagg->iterateItems(): Iterates over the LAGG interfaces

• legacy_interface_destroy(string $interface): Destroys a legacy interface

• _interfaces_lagg_configure(array $lagg): Configures a LAGG interface

Flow

• Reads the file containing the LAGG interfaces to reconfigure

• Collects the LAGG interfaces to reconfigure

• Removes non-existing interfaces

• Reconfigures the still existing LAGG interfaces

script reconfigure_neighbors.php

This script uses the interfaces_neighbors_configure() function to configure the neighbors.

The interfaces_neighbors_configure() function is defined in another module and is not part of this script. This script is very simple and consists of only one function call.

Functions

• interfaces_neighbors_configure(): Configures the neighbors

Flow

• Calls the interfaces_neighbors_configure() function to configure the neighbors

script reconfigure_vips.php

A script to reconfigure the Virtual IPs (VIPs).

Functions

• legacy_interfaces_details(): Returns the interface details

• legacy_config_get_interfaces(): Returns the interface configurations

• legacy_interface_deladdress(): Deletes an IP address from an interface

• interface_ipalias_configure(): Configures an IP alias interface

• interface_carp_configure(): Configures a CARP interface

• interface_proxyarp_configure(): Configures the proxy ARP

Flow

• Collects the IP addresses and their corresponding interfaces

• Removes deleted VIPs

• Compares the actual VIP configuration with the desired configuration

• Configures the VIPs based on the desired configuration

/

script reconfigure_vlans.php

A script to reconfigure the VLANs.

Functions

• legacy_interfaces_details(): Returns the interface details

• legacy_interface_destroy(): Destroys an interface

• legacy_vlan_remove_tag(): Removes a VLAN tag from an interface

• legacy_vlan_tag(): Adds a VLAN tag to an interface

• legacy_vlan_pcp(): Sets the PCP (Priority Code Point) for a VLAN

• legacy_vlan_proto(): Sets the protocol for a VLAN

• _interfaces_vlan_configure(): Configures a VLAN interface

• ifgroup_setup(): Sets up the interface groups

Flow

• Collects all relevant VLANs (new, updated, and removed) into a single list

• Merges the configured VLANs with the existing VLANs

• Handles existing VLANs (removed, changed, or unchanged)

• Configures new VLANs

• Sets up the interface groups

script rtsold_resolvconf.sh

Processes Router Advertisements (RA) with RDNSS and DNSSL options.

Thisscript is invoked by rtsold when a Router Advertisement with RDNSS and DNSSL options is received. It extracts the interface, router, and DNS information from the arguments and STDIN.

Params

• ${1}str

  • Action:

    • “-a” to add DNS information

    • “-d” to delete DNS information

• ${2}str

  • Interface information: “ifname:slaac:[RA source address]”

Notes

• Thisscript uses the ifctl(8) and configctl(8) commands to modify the interface configuration.

• It uses the /var/etc/radvd.conf file to recognize its own configuration.

script traffic_stats.php

This script uses the legacy_config_get_interfaces and legacy_interface_stats functions to collect interface information and statistics.

It also uses the map_ifs function to map interface data to a standardized format. If an interval is specified, the script will collect statistics at that interval and output the results in a streaming format. If no interval is specified, the script will collect statistics once and output the results in a single JSON object.

Params

• srgsv[0]int

  • The interval in seconds to collect traffic statistics.

Returns

• string

  • The traffic statistics in JSON format.

/

ipsec

script get_legacy_vti.php

This script uses the ipsec_get_configured_vtis() function to retrieve the list of configured IPsec VTIs.

The result is output in JSON format using the json_encode() function.

Returns

• A JSON-encoded array containing the list of configured IPsec VTIs.

Functions

• require_once(string $filename) : void - Includes the specified file.

• ipsec_get_configured_vtis() : array - Retrieves a list of configured IPsec VTIs.

• json_encode(array $data) : string - Encodes the data in JSON format.

Arguments

• result : array - An array to store the result.

• vti : array - The current VTI.

• record : array - An array to store the VTI record.

netflow

script flush_all.sh

Flushes local netflow data.

If the “all” argument is provided, it stops the flowd and flowd_aggregate services, removes all netflow data files and log files, and then starts the services again.

Params

• ${1}: str

  • If str == “all” provided, all local netflow data will be flushed.

openssh

openvpn

script client_connect.php

This script authenticates an OpenVPN user based on the provided common name and server ID, and generates a client configuration file if required.

Arguments

• common_name : string - The common name of the user.

• vpnid : string - The ID of the OpenVPN server.

• config_file : string - The path to the client configuration file.

• server : OPNsenseOpenVPNOpenVPN - The OpenVPN server instance.

• cso : OPNsenseOpenVPNOpenVPN - The client-specific override configuration.

Environment Variables

• common_name : The common name of the user.

• auth_server : The ID of the OpenVPN server.

• config_file : The path to the client configuration file.

script client_disconnect.sh

Returns

• int

  • The exit status of thescript.

script ovpn_service_control.php

Controls the OpenVPN instances on the system. It can be used to start, stop, restart, or configure instances.

Parameters

• $argvarray

  • $argsv[-2]str

    • action: stop|start|restart|configure

• $argsv[-1]str

  • uuid: UUID of the instance

• -a: all instances

• -h: help

Functions

• setup_interface($instance): Configures the network interface for the OpenVPN instance.

• ovpn_start($instance, $fhandle): Starts the OpenVPN instance.

• ovpn_stop($instance, $destroy_if = false): Stops the OpenVPN instance.

• ovpn_instance_stats($instance, $fhandle): Reads the statistics of the OpenVPN instance.

• get_vhid_status(): Reads the status of the CARP instances.

script tls_verify.php

This script verifies the certificate depth for OpenVPN authentication.

It uses the OPNsenseOpenVPNOpenVPN class to retrieve the server instance by ID. It also uses the OPNsenseTrustStore class to validate the OCSP response. The script checks the certificate depth and OCSP validation for the given server ID. If the verification fails, it logs a warning message and exits with a non-zero status code.

Params

• argsv[0]str

  • The auth_server identifier for authentication.

Returns

• int

  • 0 on success, 1 on failure.

script user_pass_verify.php

It also uses the OPNsenseOpenVPNOpenVPN class to retrieve OpenVPN server information and create client-specific overrides. The script logs authentication results to the syslog.

Arguments

• auth_server : string - The ID of the OpenVPN server.

• auth_method : string - The authentication method to use (via-env or via-file).

• common_name : string - The common name of the certificate.

• auth_file : string - The file containing the username and password (when using via-file method).

• auth_defer : bool - Whether to defer authentication to another process.

• auth_control_file : string - The file to write the authentication result to (when using auth_defer).

Returns

• int

• 0 on success, non-zero on failure.

routes

script del_route.py

Parameters

• destinationstr

  • Description: destination

  • options : [’–destination’]

  • required : True

• gatewaystr

  • Description: gateway

  • options : [’–gateway’]

  • required : True

script gateway_status.php

This script retrieves the status of gateways using the dpinger_status() function, and generates a JSON-encoded result containing information about each gateway.

Returns

• A JSON-encoded array containing information about each gateway.

Functions

• dpinger_status() : Retrieves the status of gateways.

Variables

• result : array - An array to store the result of the script.

• gateways_status : array - An array containing the status of each gateway.

• gname : string - The name of the current gateway.

• gw : array - An array containing information about the current gateway.

• gatewayItem : array - An array to store information about the current gateway.

• status_translated : string - A translated version of the status of the current gateway.

script gateway_watcher.php

Dieses Script überwacht die Gateways und generiert Alarme, wenn ein Gateway nicht erreichbar ist.

Params

• $argv[1]string

  • the action to execute: configd_run($action)

Functions

• signalhandler($signal) : Function called when a signal is received.

• dpinger_status() : Function that returns the status of the gateways.

• config_read_array($section, $key) : Function that returns an array from the configuration.

• shell_safe($command, $args) : Function that safely executes a command.

• syslog($priority, $message) : Function that writes a message to the system log.

Variables

• $config : array The system configuration.

• $mode : array An array that stores the status of the gateways.

• $poll : int The poll interval in seconds.

• $wait : int The wait interval in seconds.

• $alarm : bool A flag that indicates whether an alarm has been generated.

script gateways.php

Retrieves a list of gateways and their corresponding IP addresses or protocols.

This script retrieves a list of gateways and their corresponding IP addresses or protocols, and outputs the result in JSON format.

Params

• $argvsarray

  • -g : Adds gateway groups to the result.

  • -h : Displays the usage help.

Returns

• A JSON-encoded array containing the list of gateways and their corresponding IP addresses or protocols.

Functions

• getopt(string $shortopts, array $longopts = [], int &$optind = 0) : array

• Parses the command-line options.

• array_slice(array $array, int $offset, int $length = null) : array

• Extracts a slice of the array.

• is_ipaddr(string $ip) : bool

• Checks if the given string is a valid IP address.

Variables

• mdl : OPNsenseRoutingGateways - An instance of the Gateways class.

• gateways : array - An array containing the list of gateways.

• ret : array - An array to store the result.

• opts : array - An array containing the parsed command-line options.

• args : array - An array containing the remaining command-line arguments.

shaper

shell

script banner.php

Displays system information and network interface details.

This script prints the system hostname, domain, and version, followed by a list of assigned network interfaces with their IP addresses, classes, and other details.

Arguments

• versionstr

  • The system version.

• iflistarray

  • A list of network interfaces.

• ifdetailsarray

  • A list of network interface details.

script defaults.php

Resets the firewall to factory defaults.

This script prompts the user to confirm whether they want to reset the firewall to factory defaults, and then calls the reset_factory_defaults() function if the user confirms.

Arguments

• fp : resource

• A file pointer to the standard input stream.

• yes_no_prompt : string

• The prompt to display to the user.

Functions

• reset_factory_defaults() : Resets the firewall to factory defaults.

script firmware.sh

Thisscript performs firmware actions, such as fetching changelogs, running updates, and performing upgrades. It checks if an update or upgrade is available and prompts the user to confirm whether to proceed. If the user agrees, the update or upgrade is executed.

Functions:

• run_action: Performs a firmware action and waits for user input.

• Fetches changelogs and updates.

• Checks if an upgrade is available.

• Runs updates and upgrades.

script halt.php

This script halts the system and powers it off after the user confirms that they want to proceed.

This script uses the passthru() function to execute the system command ‘/usr/local/etc/rc.halt’. The user must confirm that they want to proceed before the system is shut down.

Functions

• require_once(string $filename) : void - Includes the specified file.

• fopen(string $filename, string $mode) : resource - Opens a file or other file system.

• fgets(resource $stream) : string - Reads a line from a file stream.

• strcasecmp(string $str1, string $str2) : int - Compares two strings without considering case.

• passthru(string $command) : void - Executes a system command and returns the output.

• fclose(resource $stream) : bool - Closes a file stream.

Variables

• fp : resource

• A file stream opened to the standard input.

script password.php

A script to reset the root user account.

Parameters

• $argv[2] and $argv[3]: Options for the script

  • -h 0: Mocking “pw usermod root -h 0”

  • -x 0: Creates a new root user if none exists

• $fp : input stream

Functions

• getUserEntryByUID(int $uid): Returns the user entry for the given UID

• local_user_set_password(array $user, string $password): Sets the password for the given user

• local_user_set(array $user): Saves the user entry

• write_config(string $message): Writes a message to the configuration

Flow

• Checks if the options -h 0 or -x 0 were provided

• If -h 0, sets the password for the root user

• If -x 0, creates a new root user if none exists and sets the password

• If no options were provided, asks if the user wants to restore the default authentication mode

• If the user wants to restore the default authentication mode, sets the password for the root user

Outputs

• Messages for resetting the root user account

• Error messages if the password is empty or does not match

script ping.php

A script to ping a host name or IP address.

This script uses the fopen, fgets, escapeshellarg, passthru, and fclose functions to interact with the user and execute the ping command. The script assumes that the [/sbin/ping](cci:7://file:///sbin/ping:0:0-0:0) command is available on the system.

Parameters

• $fp: The file pointer for standard input

• $pinghost: The host name or IP address to ping

Functions

• fopen(string $filename, string $mode): Opens a file pointer

• fgets(resource $fp): Reads a line from the file pointer

• escapeshellarg(string $arg): Escapes a shell argument

• passthru(string $command): Executes a shell command and displays the output

• fclose(resource $fp): Closes a file pointer

Flow

• Opens the standard input file pointer

• Prompts the user to enter a host name or IP address

• Reads the user input and stores it in the $pinghost variable

• Pings the host name or IP address using the [/sbin/ping](cci:7://file:///sbin/ping:0:0-0:0) command with the -c 3 and -n options

• Displays the output of the ping command

• Prompts the user to press ENTER to continue

• Reads the user input and closes the standard input file pointer

Outputs

• The output of the ping command

script netboot.php

A script to reboot the system after confirmation.

This script uses the fopen, fgets, chop, strcasecmp, passthru, and fclose functions to interact with the user and execute the reboot command. The script assumes that the /usr/local/etc/rc.reboot command is available on the system and will reboot the system.

Parameters

• $fp: The file pointer for standard input

Functions

• fopen(string $filename, string $mode): Opens a file pointer

• fgets(resource $fp): Reads a line from the file pointer

• chop(string $string): Removes trailing whitespace from a string

• strcasecmp(string $str1, string $str2): Compares two strings in a case-insensitive manner

• passthru(string $command): Executes a shell command and displays the output

• fclose(resource $fp): Closes a file pointer

Flow

• Opens the standard input file pointer

• Prompts the user to confirm the reboot

• Reads the user input and checks if it matches ‘y’ (case-insensitive)

• If confirmed, executes the /usr/local/etc/rc.reboot command to reboot the system

• Closes the standard input file pointer

Outputs

• The output of the reboot command (if executed)

script restore.sh

Restores a backup of the OPNsense configuration.

It lists all available backups, allows the user to select one, and then restores it. Thescript also offers the option to reboot the system to apply the backup cleanly.

Notes

• Thisscript assumes that the necessary commands (cd, find, date, sort, head, echo, read, cp, rc.reboot, rc.reload_all) are available.

• Thescript uses the /conf/backup directory to store the backups.

script script setaddr.php

This script is used to configure IP addresses and gateways for network interfaces.

Params

• argsv[0]str

  • The name of the network interface to configure.

• $fp - input stream

  • $fp = fopen(‘php://stdin’, ‘r’);

Arguments

• intip : str - The new IPv4 address for the interface.

• intbits : int - The subnet bit count for the IPv4 address.

• gwname : str - The name of the gateway for the interface.

• nameserver : str - The name server for the interface.

• intip6 : str - The new IPv6 address for the interface.

• intbits6 : int - The subnet bit count for the IPv6 address.

• gwname6 : str - The name of the gateway for the IPv6 interface.

• nameserver6 : str - The name server for the IPv6 interface.

The script does not return any value.

script setports.php

This script configures the networking interfaces and ports for the system.

The script stops local servers to prevent faulty leases and then configures the interfaces, routing, DHCP, and VPN settings.

Returns

• bool

• true if the configuration was successful, false otherwise

This script requires the following files to be included:

• config.inc

• console.inc

• filter.inc

• util.inc

• system.inc

• interfaces.inc

suricata

script listRuleMetadata.py

Parameters

• modestr

  • Description: fetch mode

  • options : [’–mode’]

  • default : properties

  • choices : [‘properties’, ‘rules’]

  • required : False

script suricata_setup.sh

Sets up the Suricata directories and configuration files.

It creates the necessary directories, sets the ownership and permissions, and creates a placeholder file if necessary.

Notes

• Thisscript assumes that the necessary commands (mkdir, chown, chmod, touch) are available.

• Thescript uses the /var/log/suricata directory for Suricata logs.

• Thescript creates the /usr/local/etc/suricata/installed_rules.yaml file if it does not exist.

syslog

script clearlog.php

Clears log files for a specific module or service.

This script removes log files for a specified module or service, and restarts the system syslog service.

Params - argsvarray

• • -h : Show help text and exit.

• • -m : Specify the module name.

• • -f : Specify the log file name.

Arguments

• opts : array

• An array of command-line options.

• mname : string

• The name of the module or service.

• fname : string

• The name of the log file.

• basename : string

• The base path of the log file.

script list_applications.php

Retrieves a list of syslog facilities and their corresponding plugin names.

Returns

• string

• A JSON-encoded array containing syslog facilities as keys and plugin names as values.

script queryLog.py

Parameters

• outputstr

  • Description: output type [json/text]

  • options : [’–output’]

  • default : json

  • required : False

• filterstr

  • Description: filter results

  • options : [’–filter’]

  • default :

  • required : False

• limitstr

  • Description: limit number of results

  • options : [’–limit’]

  • default :

  • required : False

• offsetstr

  • Description: begin at row number

  • options : [’–offset’]

  • default :

  • required : False

• filenamestr

  • Description: log file name (excluding .log extension)

  • options : [’–filename’]

  • default :

  • required : False

• modulestr

  • Description: module

  • options : [’–module’]

  • default : core

  • required : False

• severitystr

  • Description: comma separated list of severities

  • options : [’–severity’]

  • default :

  • required : False

• valid_fromstr

  • Description: oldest data to search for (epoch)

  • options : [’–valid_from’]

  • default :

  • required : False

script streamLog.py

Parameters

• filterstr

  • Description: filter results

  • options : [’–filter’]

  • default :

  • required : False

• offsetstr

  • Description: include last N matching lines

  • options : [’–offset’]

  • default :

  • required : False

• filenamestr

  • Description: log file name (excluding .log extension)

  • options : [’–filename’]

  • default :

  • required : False

• modulestr

  • Description: module

  • options : [’–module’]

  • default : core

  • required : False

• severitystr

  • Description: comma separated list of severities

  • options : [’–severity’]

  • default :

  • required : False

system

script cpu.py

Parameters

• intervalstr

  • Description: poll interval

  • options : [’–interval’]

  • default : 1

  • required : False

script nameservers.php

Retrieves a list of nameservers.

Arguments

• • argv[1] : bool

• • Optional argument to specify whether to include additional information (default: false)

Returns

• string

• • A JSON-encoded array containing the list of nameservers.

script remote_backup.php

This script uses the BackupFactory class to manage backup providers.

The script assumes that the backup providers are configured correctly and that the necessary dependencies are . This script is designed to be run remotely and can be used to perform backups at random intervals.

Arguments

• $random_delay (optional): A random delay in seconds to add before starting the backup

Functions

• BackupFactory::listProviders(): Returns a list of backup providers

• BackupProvider::isEnabled(): Checks if a backup provider is enabled

• BackupProvider::backup(): Performs a backup using a provider

Flow

• Adds a random delay in seconds before starting the backup (if specified)

• Creates a BackupFactory instance

• Iterates over the list of backup providers

• Checks if each provider is enabled and performs a backup if it is

script ssl_ciphers.py

Parameters

• formatstr

  • Description: format

  • options : [’–format’]

  • default : full

  • choices : [‘full’, ‘key_value’]

  • required : False

• filterstr

  • Description: filter version

  • options : [’–filter’]

  • choices : [‘TLSv1.3’, ‘pre-TLSv1.3’, ‘’]

  • required : False

script status.php

This script uses the OPNsenseSystemSystemStatus class to retrieve the system status.

If an action is specified (dismiss), the script will dismiss the corresponding status. If no action is specified, the script will display the system status in JSON format.

Params

• argsv[0] : str

• The action to perform on the system status (dismiss).

Returns

• string

• The system status in JSON format if no action is specified.

script sysctl.py

Parameters

• valuesstr

  • Description: comma-separated list of sysctl values to fetch

  • options : [’–values’]

  • required : False

script temperature.sh

Displays the temperature readings from the system.

It uses the sysctl command to retrieve the temperature-related sysctls and then sorts the output.

Notes

• Thisscript assumes that the necessary command (sysctl) is available.

• Thescript only displays temperature readings if they are available on the system.

unbound

script cache.sh

Executes the main functionality of the program.

Params

• ${1}str

  • Path to the configuration file.

Arguments

• verbosebool

  Enable verbose mode for detailed output. default= False

• debugbool

  Enable debug mode for troubleshooting. default= False

Returns

• int

  Exit status of thescript (0 for success, non-zero for failure)

script logger.py

Parameters

• pipestr

  • Description: named pipe file location

  • options : [’–pipe’]

  • default : /var/unbound/data/dns_logger

  • required : False

• targetdbstr

  • Description: duckdb filename

  • options : [’–targetdb’]

  • default : /var/unbound/data/unbound.duckdb

  • required : False

• backup_dirstr

  • Description: backup directory

  • options : [’–backup_dir’]

  • default : /var/cache/unbound.duckdb

  • required : False

• flush_intervalstr

  • Description: interval to flush to db

  • options : [’–flush_interval’]

  • default : 10

  • required : False

script restore_db.py

Parameters

• backup_dirstr

  • Description: backup directory

  • options : [’–backup_dir’]

  • default : /var/cache/unbound.duckdb

  • required : False

• targetdbstr

  • Description: duckdb filename

  • options : [’–targetdb’]

  • default : /var/unbound/data/unbound.duckdb

  • required : False

script start.sh

Starts the Unbound DNS resolver and configures it for use with OPNsense.

It removes any existing configuration files, checks for the presence of the root.key file, and runs unbound-anchor if necessary. Thescript then copies configuration files from /usr/local/etc/unbound.opnsense.d to /var/unbound/etc and sets the ownership of the files to the unbound user. Finally, thescript starts the Unbound service and loads the DNS cache.

Params

• ${1}str

  • DOMAIN: The domain name to use for DHCP and DNS configuration.

Notes

• Thisscript assumes that the necessary commands (unbound, unbound-anchor, unbound-control-setup, chown, daemon) are available.

• Thescript uses the /usr/local/opnsense/scripts/unbound directory for Unbound-relatedscripts and configuration files.

script stats.py

Parameters

None

script wrapper.py

Parameters

None

Wireguard