README
¶
pfSense Configuration Schema
This package defines Go structs for parsing pfSense config.xml files. It follows the copy-on-write pattern described in AGENTS.md: reuse OPNsense types where XML structures are identical, fork locally at first divergence.
Config Versions
| pfSense CE | Plus | Config Rev | FreeBSD |
|---|---|---|---|
| 2.5.x | 21.02 | 21.4-21.7 | 12.2-STABLE |
| 2.6.0 | 22.01 | 22.2 | 12.3-STABLE |
| 2.7.0 | 23.05 | 22.9 | 14.0-CURRENT |
| 2.8.0 | 25.07 | 24.0 | 15.0-CURRENT |
CE and Plus share the same config format at corresponding releases. Config upgrades are sequential, handled by upgrade_NNN_to_NNN() functions in the pfSense source (upgrade_config.inc).
Root Element
The root XML element is <pfsense> (vs OPNsense's <opnsense>).
Key Structural Differences from OPNsense
| Area | pfSense | OPNsense |
|---|---|---|
| Root element | <pfsense> |
<opnsense> |
| NAT port forwards | <nat><rule> (direct child) |
<nat><inbound><rule> (nested) |
| NAT redirect IP field | <target> |
<internalip> |
| NAT 1:1 / NPt | <nat><onetoone>, <nat><npt> |
Different location |
| User passwords | <bcrypt-hash> |
<password> (SHA-based) |
| User privileges | <priv>[] per-user array |
Group-based model |
| DNS servers | <dnsserver>[] (repeating elements) |
Single <dnsserver> string |
| Aliases | Flat aliases/alias[] |
UUID-based OPNsense/Firewall/Alias |
| Captive portal | Zone-keyed map | Completely different implementation |
| Traffic shaping | ALTQ + dummynet | Different model in newer OPNsense |
| Auth servers | system/authserver[] |
Different location |
| Notifications | system/notifications (SMTP/Telegram/etc.) |
Different system |
| Filter rules | Adds id, tag, tagged, os, associated-rule-id |
Does not have these |
| Config version | Decimal (22.9, 24.0) | Different numbering |
| CRL | Top-level <crl>[] |
Integrated differently |
| Kea DHCP | <kea> / <kea6> (newer versions) |
Not present |
listtags (XML Array Elements)
From pfSense's xmlparse.inc, these elements are always parsed as arrays even with a single entry. In Go, these must use []Type, never Type:
alias, authserver, bridged, ca, cert, crl, dnsserver, domainoverrides,
dyndns, gateway_item, gateway_group, gif, gre, group, hosts,
ifgroupentry, igmpentry, item, lagg, member, mobilekey, monitor_type,
npt, onetoone, openvpn-server, openvpn-client, openvpn-csc, phase1,
phase2, pool, ppp, pppoe, priv, qinqentry, queue, route, rule,
schedule, shellcmd, staticmap, timerange, user, vip, virtual_server,
vlan, wolentry
Complete Top-Level Section Inventory
Implemented in This Package
| Section | File | Reuses OPNsense? | Notes |
|---|---|---|---|
<pfsense> root |
document.go |
Partial | Root document with all top-level fields |
system |
system.go |
Partial (Group, SSHConfig) | pfSense-specific User, WebGUI, DNS arrays |
interfaces |
document.go |
Yes (full) | Map-based, identical structure |
filter |
security.go |
Partial (Source, Destination) | pfSense-specific FilterRule |
nat (inbound + outbound) |
security.go |
Outbound reused | Inbound forked for <target> vs <internalip> |
dhcpd |
document.go |
Yes (full) | Identical map-based structure |
dhcpdv6 |
network.go |
No (pfSense-specific) | Map-based with RAMode, RAPriority |
snmpd |
document.go |
Yes (full) | Identical |
openvpn |
document.go |
Yes (full) | Client + server arrays |
syslog |
services.go |
No (pfSense-specific) | Currently minimal |
unbound |
services.go |
No (pfSense-specific) | Core fields |
cron |
services.go |
No (pfSense-specific) | item[] array |
widgets |
services.go |
No (pfSense-specific) | Adds Period field |
diag |
services.go |
No (pfSense-specific) | IPv6NAT only |
rrd |
document.go |
Yes (full) | Enable flag |
load_balancer |
document.go |
Yes (full) | Deprecated in pfSense 2.8+ |
staticroutes |
document.go |
Yes (full) | Identical |
ppps |
document.go |
Yes (full) | Identical base |
gateways |
document.go |
Yes (full) | Identical base |
ca[] / cert[] |
document.go |
Yes (full) | Top-level arrays |
vlans |
document.go |
Yes (full) | Identical |
revision |
document.go |
Yes (full) | Identical |
Not Yet Implemented
High Priority (common in production configs)
<aliases> -- Firewall AliasesPath: aliases/alias[]
| Field | Type | Description |
|---|---|---|
name |
string | Alias identifier (alphanumeric + underscore) |
type |
string | host, network, port, url, urltable, urltable_ports |
address |
string | Space-separated IPs/networks/ports/FQDNs |
descr |
string | Description |
detail |
string | Per-entry descriptions (pipe-pipe delimited) |
url |
string | URL source (for urltable types) |
updatefreq |
string | Update frequency in days (urltable types) |
aliasurl |
string[] | Array of alias URLs (alternative to single url) |
OPNsense difference: OPNsense stores aliases at OPNsense/Firewall/Alias with a UUID-based model. pfSense uses a flat aliases/alias[] array.
<ipsec> -- IPsec VPNPath: ipsec/phase1[], ipsec/phase2[], ipsec/client, ipsec/mobilekey[]
Phase 1 fields (ipsec/phase1[]):
| Field | Type | Description |
|---|---|---|
ikeid |
string | Unique IKE identifier |
iketype |
string | ikev1, ikev2, auto |
interface |
string | Local endpoint interface |
remote-gateway |
string | Remote peer address/hostname |
protocol |
string | inet, inet6, both |
myid_type / myid_data |
string | Local identifier |
peerid_type / peerid_data |
string | Remote identifier |
encryption |
complex | Contains encryption-algorithm-option[] |
authentication_method |
string | pre_shared_key, cert, eap-tls, etc. |
pre-shared-key |
string | PSK value |
certref / caref |
string | Certificate/CA references |
lifetime |
string | IKE SA lifetime (seconds) |
rekey_time / reauth_time / rand_time |
string | Timing parameters |
mode |
string | main, aggressive |
nat_traversal |
string | NAT-T enablement |
mobike |
string | MOBIKE support |
dpd_delay / dpd_maxfail |
string | Dead peer detection |
startaction / closeaction |
string | SA lifecycle |
disabled |
presence | Enable/disable flag |
descr |
string | Description |
mobile |
presence | Mobile client mode |
ikeport / nattport |
string | Custom ports |
splitconn |
string | Split connection |
Phase 2 fields (ipsec/phase2[]):
| Field | Type | Description |
|---|---|---|
ikeid |
string | Parent Phase 1 identifier |
uniqid |
string | Unique identifier |
mode |
string | tunnel, tunnel6, vti |
disabled |
presence | Disable flag |
reqid |
string | Request ID |
localid / remoteid |
complex | Network identities (type, address, netbits) |
natlocalid |
complex | NAT/BINAT identity |
protocol |
string | ESP or AH |
encryption-algorithm-option[] |
array | Encryption algorithms with keylen |
hash-algorithm-option[] |
array | Hash algorithms |
pfsgroup |
string | PFS key group |
lifetime |
string | SA lifetime |
pinghost |
string | Keep-alive IP |
descr |
string | Description |
Mobile client (ipsec/client):
| Field | Type | Description |
|---|---|---|
enable |
presence | Enable mobile clients |
user_source |
string | Comma-separated auth sources |
group_source |
string | Group-based access |
pool_address / pool_netbits |
string | IPv4 address pool |
pool_address_v6 / pool_netbits_v6 |
string | IPv6 address pool |
dns_server1 through dns_server4 |
string | DNS servers pushed to clients |
wins_server1 / wins_server2 |
string | WINS servers |
dns_domain |
string | Search domain |
dns_split |
string | Split DNS |
login_banner |
string | Connection banner |
save_passwd |
presence | Password persistence |
Logging (ipsec/logging): per-subsystem log levels (dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib).
<virtualip> -- Virtual IPs (CARP/Alias/ProxyARP)Path: virtualip/vip[]
| Field | Type | Description |
|---|---|---|
mode |
string | ipalias, carp, proxyarp, other |
interface |
string | Network interface |
vhid |
string | Virtual Host ID (1-255, CARP only) |
advskew |
string | Advertisement skew (0-254, CARP only) |
advbase |
string | Advertisement base frequency (1-254, CARP only) |
password |
string | CARP cluster password |
subnet |
string | IP address |
subnet_bits |
string | CIDR prefix |
type |
string | single or network |
descr |
string | Description |
uniqid |
string | Unique identifier |
noexpand |
presence | Disable NAT list expansion |
Reusable: nearly identical to OPNsense's virtualip/vip[].
<hasync> -- High Availability SyncPath: hasync/
| Field | Type | Description |
|---|---|---|
pfsyncenabled |
string | State sync enable (on/false) |
pfsyncinterface |
string | pfsync interface |
pfsyncpeerip |
string | Peer IP |
pfhostid |
string | Host ID |
synchronizetoip |
string | XMLRPC target IP |
username |
string | XMLRPC username |
password |
string | XMLRPC password |
adminsync |
string | Admin sync flag |
synchronizeusers |
string | Sync users |
synchronizeauthservers |
string | Sync auth servers |
synchronizecerts |
string | Sync certificates |
synchronizerules |
string | Sync firewall rules |
synchronizeschedules |
string | Sync schedules |
synchronizealiases |
string | Sync aliases |
synchronizenat |
string | Sync NAT |
synchronizeipsec |
string | Sync IPsec |
synchronizeopenvpn |
string | Sync OpenVPN |
synchronizedhcpd |
string | Sync DHCP server |
synchronizedhcrelay |
string | Sync DHCP relay |
synchronizekea6 |
string | Sync Kea DHCPv6 |
synchronizedhcrelay6 |
string | Sync DHCPv6 relay |
synchronizewol |
string | Sync WOL |
synchronizestaticroutes |
string | Sync static routes |
synchronizevirtualip |
string | Sync Virtual IPs |
synchronizetrafficshaper |
string | Sync ALTQ shaper |
synchronizetrafficshaperlimiter |
string | Sync limiters |
synchronizednsforwarder |
string | Sync DNS forwarder |
synchronizecaptiveportal |
string | Sync captive portal |
All boolean fields store on or false.
<bridges> -- Bridge InterfacesPath: bridges/bridged[]
| Field | Type | Description |
|---|---|---|
bridgeif |
string | Bridge interface name (e.g., bridge0) |
members |
string | Comma-separated interface list |
descr |
string | Description |
enablestp |
presence | RSTP/STP support |
ip6linklocal |
presence | IPv6 auto link-local |
maxaddr |
string | Address cache size |
timeout |
string | Cache expiration (seconds) |
maxage |
string | STP config validity |
fwdelay |
string | STP forward delay |
hellotime |
string | STP hello interval |
priority |
string | Bridge STP priority |
proto |
string | rstp or stp |
holdcnt |
string | STP transmit hold count |
ifpriority |
string | Comma-separated interface:priority pairs |
ifpathcost |
string | Comma-separated interface:cost pairs |
stp |
string | Comma-separated STP-enabled interfaces |
span |
string | Comma-separated span ports |
edge |
string | Comma-separated edge ports |
autoedge |
string | Comma-separated auto-edge |
ptp |
string | Comma-separated point-to-point |
autoptp |
string | Comma-separated auto-PTP |
static |
string | Comma-separated sticky ports |
private |
string | Comma-separated private ports |
Reusable: very similar to OPNsense's bridges/bridged[].
<gifs> -- GIF TunnelsPath: gifs/gif[]
| Field | Type | Description |
|---|---|---|
if |
string | Parent interface |
gifif |
string | GIF interface identifier |
remote-addr |
string | Peer encapsulation address |
tunnel-local-addr |
string | Local tunnel endpoint |
tunnel-remote-addr |
string | Remote tunnel endpoint |
tunnel-remote-net |
string | Subnet prefix (1-32 or 1-128) |
tunnel-local-addr6 |
string | IPv6 local tunnel |
tunnel-remote-addr6 |
string | IPv6 remote tunnel |
tunnel-remote-net6 |
string | IPv6 prefix |
link1 |
presence | ECN friendly behavior |
link2 |
presence | Outer source filtering |
descr |
string | Description |
Reusable: nearly identical to OPNsense.
<gres> -- GRE TunnelsPath: gres/gre[]
Same structure as GIF tunnels but uses greif instead of gifif, and adds link0.
Reusable: nearly identical to OPNsense.
<laggs> -- Link AggregationPath: laggs/lagg[]
| Field | Type | Description |
|---|---|---|
laggif |
string | LAGG interface name (e.g., lagg0) |
members |
string | Comma-separated physical interfaces |
proto |
string | none, lacp, failover, loadbalance, roundrobin |
descr |
string | Description |
failovermaster |
string | Primary failover interface or auto |
lacptimeout |
string | slow or fast |
lagghash |
string | Hash algorithm for load balancing |
OPNsense difference: pfSense adds failovermaster and lagghash.
<crl> -- Certificate Revocation ListsPath: crl[] (top-level array, repeating)
| Field | Type | Description |
|---|---|---|
refid |
string | Unique identifier |
caref |
string | Parent CA reference |
descr |
string | Description |
method |
string | internal or existing |
text |
string | Base64-encoded CRL (imported) |
lifetime |
string | Validity (days) |
serial |
string | Serial number |
cert[] |
array | Revoked certs: refid, descr, reason, revoke_time |
nat/onetoone[] -- 1:1 NAT (BiNAT)| Field | Type | Description |
|---|---|---|
interface |
string | Interface |
ipprotocol |
string | inet / inet6 |
external |
string | External address |
src / srcmask |
string | Source network |
srcnot |
string | Negate source |
dst / dstmask |
string | Destination network |
dstnot |
string | Negate destination |
nobinat |
string | Disable binat |
natreflection |
string | Reflection mode |
disabled |
string | Disable flag |
descr |
string | Description |
nat/npt[] -- IPv6 Network Prefix Translation| Field | Type | Description |
|---|---|---|
interface |
string | Interface |
src / srcmask |
string | Internal prefix |
srcnot |
string | Negate source |
dst / dstmask |
string | External prefix |
dstnot |
string | Negate destination |
disabled |
string | Disable flag |
descr |
string | Description |
<ntpd> -- NTP DaemonPath: ntpd/
| Field | Type | Description |
|---|---|---|
enable |
presence | Enable NTP |
interface |
string | Listening interfaces |
prefer |
string | Preferred servers |
noselect |
string | Excluded servers |
ispool |
string | Pool-type servers |
ispeer |
string | Peer-type servers |
ntpminpoll / ntpmaxpoll |
string | Poll intervals |
ntpmaxpeers |
string | Max pool peers |
orphan |
string | Orphan stratum |
dnsresolv |
string | DNS protocol (auto/inet/inet6) |
logpeer / logsys |
presence | Logging |
clockstats / loopstats / peerstats |
presence | Statistics |
statsgraph |
presence | RRD graphs |
serverauth |
presence | NTPv3 auth |
serverauthkey |
string | Base64 auth key |
serverauthkeyid |
string | Key ID (1-65535) |
serverauthalgo |
string | md5/sha1/sha256 |
gps/port |
string | GPS serial port |
gps/speed |
string | GPS baud rate |
pps/port |
string | PPS serial port |
Note: time servers are at system/timeservers (space-separated), not under ntpd/.
<dnsmasq> -- DNS ForwarderPath: dnsmasq/
| Field | Type | Description |
|---|---|---|
enable |
presence | Enable forwarder |
port |
string | Listen port |
interface |
string | Listening interfaces |
regdhcp |
presence | Register DHCP leases |
regdhcpstatic |
presence | Register static DHCP |
dhcpfirst |
presence | DHCP before static |
strict_order |
presence | Strict query ordering |
domain_needed |
presence | Require domain for queries |
no_private_reverse |
presence | No reverse for private IPs |
no_system_dns |
presence | Ignore system DNS |
strictbind |
presence | Strict interface binding |
custom_options |
string | Raw dnsmasq config |
hosts[] |
array | Host overrides: host, domain, ip, descr, aliases/item[] |
domainoverrides[] |
array | Domain overrides: domain, ip, dnssrcip, descr |
system/authserver[] -- Authentication Servers| Field | Type | Description |
|---|---|---|
refid |
string | Unique identifier |
name |
string | Server name |
type |
string | ldap or radius |
host |
string | Server address |
LDAP-specific: ldap_caref, ldap_port, ldap_urltype, ldap_protver, ldap_scope, ldap_basedn, ldap_authcn, ldap_binddn, ldap_bindpw, ldap_timeout, ldap_attr_user, ldap_attr_group, ldap_attr_member, ldap_attr_groupobj, ldap_pam_groupdn, ldap_extended_enabled, ldap_extended_query, ldap_utf8, ldap_nostrip_at, ldap_allow_unauthenticated, ldap_rfc2307, ldap_rfc2307_userdn, ldap_rfc2307_basedn_groups.
RADIUS-specific: radius_protocol, radius_secret, radius_nasip_attribute, radius_auth_port, radius_acct_port, radius_timeout, disable_radius_msg_auth.
system/notifications -- Notification Channels| Sub-section | Fields |
|---|---|
smtp |
disable, ipaddress, port, timeout, ssl, sslvalidate, fromaddress, notifyemailaddress, username, password, authmech |
telegram |
enable, api, chatid |
pushover |
enable, apikey, userkey, sound, priority, retry, expire |
slack |
enable, api, channel |
system/sysctl/item[] -- Kernel Tunables| Field | Type | Description |
|---|---|---|
tunable |
string | Sysctl key (e.g., net.inet.ip.forwarding) |
value |
string | Sysctl value |
descr |
string | Description |
Medium Priority
<captiveportal> -- Captive PortalZone-keyed map (NOT an array). Each child element is a zone name:
| Field | Type | Description |
|---|---|---|
enable |
presence | Enable zone |
zoneid |
string | Numeric zone identifier |
descr |
string | Description |
interface |
string | Interface(s) |
timeout |
string | Hard timeout (minutes) |
idletimeout |
string | Idle timeout (minutes) |
trafficquota |
string | Megabytes |
auth_method |
string | none, authserver, radmac |
auth_server / auth_server2 |
string | Comma-separated servers |
httpslogin |
presence | HTTPS login |
certref |
string | Certificate reference |
preauthurl |
string | Pre-auth URL |
redirurl |
string | Redirect URL |
bwdefaultdn / bwdefaultup |
string | Default bandwidth (Kbit/s) |
noconcurrentlogins |
presence | No concurrent logins |
termsconditions |
string | Base64-encoded terms |
page/htmltext |
string | Base64-encoded portal page |
page/errtext |
string | Base64-encoded error page |
page/logouttext |
string | Base64-encoded logout page |
element[] |
array | Uploaded files |
allowedip[] |
array | Allowed IP entries |
allowedhostname[] |
array | Allowed hostname entries |
passthrumac[] |
array | Passthrough MAC entries |
<shaper> -- ALTQ Traffic ShapingPath: shaper/queue[] (recursive hierarchy)
Root queue:
| Field | Type | Description |
|---|---|---|
interface |
string | Interface |
name |
string | Queue name |
scheduler |
string | HFSC, CBQ, FAIRQ, CODELQ, PRIQ |
bandwidth |
string | Numeric capacity |
bandwidthtype |
string | b, Kb, Mb, Gb, % |
qlimit |
string | Max queue depth (packets) |
tbrconfig |
string | Token bucket regulator (bytes) |
enabled |
string | on or empty |
Child queue (adds to root):
| Field | Type | Description |
|---|---|---|
priority |
string | 0-15 (PRIQ) or 0-7 (CBQ/FAIRQ) |
description |
string | Admin text |
default |
presence | Default queue flag |
red / rio / ecn / codel |
presence | AQM toggles |
borrow |
presence | CBQ bandwidth borrowing |
linkshare1,2,3 |
string | HFSC link share curve (m1, d, m2) |
realtime1,2,3 |
string | HFSC real-time curve |
upperlimit1,2,3 |
string | HFSC upper limit curve |
queue[] |
nested | Child queues (recursive) |
<dnshaper> -- Dummynet LimitersPath: dnshaper/queue[]
| Field | Type | Description |
|---|---|---|
name |
string | Pipe identifier |
number |
string | Dummynet pipe number |
bandwidth |
string | Capacity |
bandwidthtype |
string | Scale |
qlimit |
string | Queue size (packets) |
plr |
string | Packet loss rate (0-1) |
delay |
string | Latency (ms) |
buckets |
string | Hash table entries |
sched |
string | wf2q+, fifo, qfq, rr, prio |
aqm |
string | droptail, codel, pie, red, gred |
enabled |
string | Activation |
mask/type |
string | srcaddress, dstaddress, none |
mask/bits / mask/bitsv6 |
string | CIDR prefix |
queue[] |
nested | Child queues |
<schedules> -- Firewall SchedulesPath: schedules/schedule[]
| Field | Type | Description |
|---|---|---|
name |
string | Schedule identifier |
descr |
string | Description |
schedlabel |
string | Label |
timerange[] |
array | position, month, day, hour, rangedescr |
<dyndnses> -- Dynamic DNSPath: dyndnses/dyndns[]
| Field | Type | Description |
|---|---|---|
enable |
presence | Enable entry |
type |
string | Provider identifier |
interface |
string | Source interface |
host |
string | Hostname to update |
domainname |
string | Domain name |
username |
string | Provider username |
password |
string | Provider password (base64) |
wildcard |
string | Wildcard DNS |
proxied |
string | CDN proxied (Cloudflare) |
zoneid |
string | Zone ID (Cloudflare) |
ttl |
string | TTL value |
updateurl |
string | Custom update URL |
resultmatch |
string | Custom result regex |
check_ip_mode |
string | IP detection method |
descr |
string | Description |
<dhcrelay> / <dhcrelay6> -- DHCP Relay| Field | Type | Description |
|---|---|---|
enable |
presence | Enable relay |
interface |
string | Comma-separated downstream interfaces |
server |
string | Comma-separated upstream server IPs |
agentoption |
presence | Append circuit/agent ID |
carpstatusvip |
string | CARP VIP for status |
Note: DHCP relay and DHCP server are mutually exclusive.
<ifgroups> -- Interface GroupsPath: ifgroups/ifgroupentry[]
| Field | Type | Description |
|---|---|---|
ifname |
string | Group name |
members |
string | Comma-separated interfaces |
descr |
string | Description |
Reusable: identical to OPNsense.
<qinqs> -- QinQ (802.1ad)Path: qinqs/qinqentry[]
| Field | Type | Description |
|---|---|---|
if |
string | Parent interface |
tag |
string | Outer VLAN tag |
tag_type |
string | ctag or stag |
members |
string | Space-separated inner VLAN tags |
descr |
string | Description |
vlanif |
string | QinQ interface name |
<wol> -- Wake on LANPath: wol/wolentry[]
| Field | Type | Description |
|---|---|---|
interface |
string | Network interface |
mac |
string | MAC address |
descr |
string | Description |
<installedpackages> -- Package ConfigurationDynamic structure per installed package. Common packages: miniupnpd, haproxy, pfblockerng, suricata, snort, acme.
Sub-arrays: package[] (name, internal_name, configurationfile, include_file), menu[], service[].
<igmpproxy> -- IGMP ProxyPath: igmpproxy/igmpentry[]
| Field | Type | Description |
|---|---|---|
ifname |
string | Interface |
threshold |
string | TTL threshold |
type |
string | upstream or downstream |
address |
string | Space-separated CIDRs |
descr |
string | Description |
Low Priority (legacy/niche)
<l2tp> -- L2TP VPN Server| Field | Type | Description |
|---|---|---|
mode |
string | off / server |
interface |
string | Interface |
localip / remoteip |
string | IP pool |
n_l2tp_units |
string | Max clients |
secret |
string | L2TP secret |
dns1 / dns2 |
string | DNS servers |
user[] |
array | name, password, ip |
radius/server / radius/secret |
string | RADIUS auth |
<pppoes> -- PPPoE ServerPath: pppoes/pppoe[]
Fields: pppoeid, mode, interface, paporchap, localip, remoteip, n_pppoe_units, n_pppoe_maxlogin, dns1, dns2, username, radius/*.
<voucher> -- Captive Portal VouchersZone-keyed map: enable, freelogins_count, freelogins_resettimeout, freelogins_updatetimeouts.
<kea> / <kea6> -- Kea DHCP Backend (pfSense 2.7+)| Field | Type | Description |
|---|---|---|
enable |
string | Enable Kea |
loglevel |
string | Log verbosity |
custom_kea_config |
string | Custom configuration |
ha/role |
string | HA role |
ha/localname / ha/localip / ha/localport |
string | Local HA node |
ha/remotename / ha/remoteip / ha/remoteport |
string | Remote HA node |
ha/tls / ha/scertref / ha/ccertref |
string | TLS settings |
Other Legacy Sections
| Section | Notes |
|---|---|
<pptpd> |
PPTP daemon (deprecated, insecure) |
<proxyarp> |
Proxy ARP (legacy) |
<wireless> |
Wireless interface clones |
<rrddata> |
Embedded RRD backup data |
<shellcmd> / <earlyshellcmd> |
Boot-time commands (shellcmd package) |
Expanded System Fields (Not Yet in Schema)
The <system> section has many fields beyond what is currently implemented. Notable missing fields:
Firewall Tuning
| Field | Description |
|---|---|
maximumstates |
Max firewall states |
maximumtableentries |
Max pf table entries |
maximumfrags |
Max fragment entries |
disablefilter |
Disable firewall entirely |
scrubnodf |
Clear DF bit |
scrubrnid |
Randomize IP ID |
disablescrub |
Disable scrub |
bypassstaticroutes |
Bypass rules for static routes |
disablevpnrules |
Disable auto VPN rules |
NAT Reflection
| Field | Description |
|---|---|
disablenatreflection |
Disable NAT reflection |
enablenatreflectionpurenat |
Pure NAT reflection mode |
enablebinatreflection |
1:1 NAT reflection |
enablenatreflectionhelper |
FTP helper for reflection |
reflectiontimeout |
Reflection timeout |
IPv6
| Field | Description |
|---|---|
ipv6allow |
Allow IPv6 |
ipv6nat_enable |
IPv6 NAT66 |
ipv6nat_ipaddr |
NAT66 address |
prefer_ipv4 |
Prefer IPv4 |
ipv6dontcreatelocaldns |
Skip IPv6 DNS entries |
ipv6duidtype |
DUID type |
global-v6duid |
Global DHCPv6 DUID |
Network Offloading
| Field | Description |
|---|---|
disablechecksumoffloading |
Disable checksum offload |
disablesegmentationoffloading |
Disable TSO |
disablelargereceiveoffloading |
Disable LRO |
Miscellaneous
| Field | Description |
|---|---|
ip_change_kill_states |
Kill states on IP change |
gw_down_kill_states |
Kill states on gateway down |
skip_rules_gw_down |
Skip rules when GW down |
keep_failover_states |
Keep states on failover |
lb_use_sticky |
Sticky load balancer |
schedule_states |
Schedule-based state clearing |
pti_disabled |
Meltdown mitigation toggle |
mds_disable |
MDS mitigation toggle |
thermal_hardware |
Thermal sensor driver |
harddiskstandby |
Disk standby timer |
php_memory_limit |
PHP memory limit |
use_mfs_tmpvar |
RAM-based /tmp and /var |
rrdbackup / dhcpbackup / logsbackup |
Backup intervals |
do_not_send_uniqueid |
Privacy flag |
WebGUI Extended Fields
| Field | Description |
|---|---|
port |
Custom HTTPS port |
disablehttpredirect |
Disable HTTP-to-HTTPS redirect |
disablehsts |
Disable HSTS header |
ocsp-staple |
OCSP stapling |
max_procs |
Max web server processes |
session_timeout |
Session timeout (minutes) |
authmode |
Authentication mode |
nodnsrebindcheck |
Disable DNS rebind check |
nohttpreferercheck |
Disable HTTP referer check |
noantilockout |
Disable anti-lockout rule |
roaming |
Allow roaming (multi-IP sessions) |
pwhash |
Password hash algorithm (bcrypt/sha512) |
pagenamefirst |
Page name first in title |
User Extended Fields
| Field | Description |
|---|---|
sha512-hash |
Legacy SHA-512 password hash |
customsettings |
Custom GUI preferences flag |
widgets |
Personal widget layout |
dashboardcolumns |
Personal dashboard columns |
webguicss |
Personal CSS theme |
webguihostnamemenu |
Hostname display preference |
interfacessort |
Interface sort preference |
keephistory |
Shell history retention |
cert[] |
User certificate references |
SSHGuard (system/sshguard)
| Field | Description |
|---|---|
threshold |
Attack score threshold |
blocktime |
Block duration (seconds) |
detection_time |
Detection window (seconds) |
whitelist |
Space-separated whitelisted IPs |
Auto Config Backup (system/acb)
| Field | Description |
|---|---|
enable |
Enable ACB |
device_key |
Device identifier |
encryption_password |
Backup encryption password |
frequency |
Backup frequency |
Expanded Syslog Fields (Not Yet in Schema)
The current schema only captures filterdescriptions. Full pfSense syslog:
| Field | Description |
|---|---|
enable |
Enable remote logging |
remoteserver / remoteserver2 / remoteserver3 |
Up to 3 remote servers |
sourceip |
Source IP for syslog packets |
ipproto |
ipv4 / ipv6 |
format |
rfc3164 / rfc5424 |
logfilesize |
Max log file size |
rotatecount |
Number of rotated logs |
reverse |
Reverse display order |
logcompressiontype |
Compression for rotated logs |
disablelocallogging |
Disable local log storage |
logall |
Log all facilities |
default_log_level |
Default syslog level |
filterdescriptions |
Filter log descriptions (1/2) |
logconfigchanges |
Log config changes |
Per-facility: auth, routing, ntpd, ppp, vpn, dpinger, resolver, dhcp, hostapd, filter, portalauth, system |
Remote log flags |
Expanded Unbound Fields (Not Yet in Schema)
| Field | Description |
|---|---|
forwarding |
Enable forwarding mode |
forward_tls_upstream |
TLS to upstream forwarders |
enablessl |
Enable DNS-over-TLS service |
tlsport |
TLS port (default 853) |
regdhcp |
Register DHCP leases |
regdhcpstatic |
Register static DHCP |
regovpnclients |
Register OpenVPN clients |
aggressivensec |
Aggressive NSEC |
use_caps |
0x20 encoding |
prefetch / prefetchkey |
Cache prefetching |
dnsrecordcache |
Record cache size |
qname-minimisation |
QNAME minimisation |
qname-minimisation-strict |
Strict QNAME minimisation |
always_add_short_names |
Short hostname entries |
disable_auto_added_host_entries |
Skip auto host entries |
disable_auto_added_access_control |
Skip auto ACLs |
python |
Python module support |
python_order / python_script |
Module config |
dns64 / dns64/prefix |
DNS64 support |
stats / stats_interval |
Statistics |
msgcachesize |
Message cache (MB) |
cache_max_ttl / cache_min_ttl |
TTL bounds |
log_verbosity |
Log level |
custom_options |
Base64-encoded custom config |
hosts[] |
Host overrides: host, domain, ip, descr, aliases/item[] |
domainoverrides[] |
Domain overrides: domain, ip, descr, tls_hostname, forward_tls_upstream |
acls[] |
Access control lists: aclid, aclname, aclaction, row[] |
Sources
- pfSense source: xmlparse.inc -- listtags, XML parsing
- pfSense source: config.lib.inc -- config management
- pfSense source: upgrade_config.inc -- version migrations
- pfSense Documentation -- official docs
- pfSense Versions -- version mapping
Documentation
¶
Overview ¶
Package pfsense defines the data structures for pfSense configurations.
Package pfsense defines the data structures for pfSense configurations.
Package pfsense defines the data structures for pfSense configurations.
Package pfsense defines the data structures for pfSense configurations.
Package pfsense defines the data structures for pfSense configurations.
Package pfsense defines the data structures for pfSense configurations.
Package pfsense defines the data structures for pfSense configurations.
Index ¶
- type Cron
- type CronItem
- type DHCPv6
- type DHCPv6Interface
- type Dhcpd
- func (d *Dhcpd) Get(key string) (DhcpdInterface, bool)
- func (d *Dhcpd) Lan() (DhcpdInterface, bool)
- func (d *Dhcpd) MarshalXML(e *xml.Encoder, start xml.StartElement) error
- func (d *Dhcpd) Names() []string
- func (d *Dhcpd) UnmarshalXML(decoder *xml.Decoder, start xml.StartElement) error
- func (d *Dhcpd) Wan() (DhcpdInterface, bool)
- type DhcpdInterface
- type Diag
- type Document
- type Filter
- type FilterRule
- type Group
- type IPv6NAT
- type InboundRule
- type Interface
- type Interfaces
- func (i *Interfaces) Get(key string) (Interface, bool)
- func (i *Interfaces) Lan() (Interface, bool)
- func (i *Interfaces) MarshalXML(e *xml.Encoder, start xml.StartElement) error
- func (i *Interfaces) Names() []string
- func (i *Interfaces) UnmarshalXML(decoder *xml.Decoder, start xml.StartElement) error
- func (i *Interfaces) Wan() (Interface, bool)
- type Nat
- type SyslogConfig
- type System
- type UnboundConfig
- type User
- type WebGUI
- type Widgets
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Cron ¶
type Cron struct {
Items []CronItem `xml:"item,omitempty" json:"items,omitempty" yaml:"items,omitempty"`
}
Cron represents the pfSense cron configuration.
type CronItem ¶
type CronItem struct {
Minute string `xml:"minute" json:"minute" yaml:"minute"`
Hour string `xml:"hour" json:"hour" yaml:"hour"`
MDay string `xml:"mday" json:"mday" yaml:"mday"`
Month string `xml:"month" json:"month" yaml:"month"`
WDay string `xml:"wday" json:"wday" yaml:"wday"`
Who string `xml:"who" json:"who" yaml:"who"`
Command string `xml:"command" json:"command" yaml:"command"`
}
CronItem represents a single pfSense cron job entry.
type DHCPv6 ¶
type DHCPv6 struct {
Items map[string]DHCPv6Interface `xml:",any" json:"dhcpv6,omitempty" yaml:"dhcpv6,omitempty"`
}
DHCPv6 contains the DHCPv6 server configuration for all interfaces. Uses a map-based representation identical to Dhcpd, supporting wan, lan, opt0, etc.
func (*DHCPv6) Get ¶
func (d *DHCPv6) Get(key string) (DHCPv6Interface, bool)
Get returns a DHCPv6 interface configuration by its key name (e.g., "lan", "opt0"). Returns the DHCPv6 interface configuration and a boolean indicating if it was found.
func (*DHCPv6) MarshalXML ¶
MarshalXML implements custom XML marshaling for the DHCPv6 map.
func (*DHCPv6) Names ¶
Names returns a slice of all DHCPv6 interface key names in the configuration.
func (*DHCPv6) UnmarshalXML ¶
UnmarshalXML implements custom XML unmarshaling for the DHCPv6 map.
type DHCPv6Interface ¶
type DHCPv6Interface struct {
Enable string `xml:"enable,omitempty" json:"enable,omitempty" yaml:"enable,omitempty"`
Range opnsense.Range `xml:"range,omitempty" json:"range" yaml:"range,omitempty"`
RAMode string `xml:"ramode,omitempty" json:"raMode,omitempty" yaml:"raMode,omitempty"`
RAPriority string `xml:"rapriority,omitempty" json:"raPriority,omitempty" yaml:"raPriority,omitempty"`
}
DHCPv6Interface contains the DHCPv6 server configuration for a specific interface. It includes pfSense-specific fields for Router Advertisement mode and priority.
type Dhcpd ¶
type Dhcpd struct {
Items map[string]DhcpdInterface `xml:",any" json:"dhcp,omitempty" yaml:"dhcp,omitempty"`
}
Dhcpd contains the DHCP server configuration for all pfSense interfaces. Uses a map-based representation where keys are interface identifiers (wan, lan, opt0, etc.).
func (*Dhcpd) Get ¶
func (d *Dhcpd) Get(key string) (DhcpdInterface, bool)
Get returns a DHCP interface configuration by its key name (e.g., "wan", "lan", "opt0"). Returns the DHCP interface configuration and a boolean indicating if it was found.
func (*Dhcpd) Lan ¶
func (d *Dhcpd) Lan() (DhcpdInterface, bool)
Lan returns the LAN DHCP configuration if it exists, otherwise returns a zero-value DhcpdInterface and false.
func (*Dhcpd) MarshalXML ¶
MarshalXML implements custom XML marshaling for the Dhcpd map.
func (*Dhcpd) UnmarshalXML ¶
UnmarshalXML implements custom XML unmarshaling for the Dhcpd map.
func (*Dhcpd) Wan ¶
func (d *Dhcpd) Wan() (DhcpdInterface, bool)
Wan returns the WAN DHCP configuration if it exists, otherwise returns a zero-value DhcpdInterface and false.
type DhcpdInterface ¶
type DhcpdInterface struct {
Enable opnsense.BoolFlag `xml:"enable,omitempty" json:"enable,omitempty" yaml:"enable,omitempty"`
Range opnsense.Range `xml:"range,omitempty" json:"range" yaml:"range,omitempty"`
Gateway string `xml:"gateway,omitempty" json:"gateway,omitempty" yaml:"gateway,omitempty"`
DdnsDomainAlgorithm string `xml:"ddnsdomainalgorithm,omitempty" json:"ddnsdomainalgorithm,omitempty" yaml:"ddnsdomainalgorithm,omitempty"`
NumberOptions []opnsense.DHCPNumberOption `xml:"numberoptions>item,omitempty" json:"numberOptions,omitempty" yaml:"numberOptions,omitempty"`
Winsserver string `xml:"winsserver,omitempty" json:"winsserver,omitempty" yaml:"winsserver,omitempty"`
Dnsserver string `xml:"dnsserver,omitempty" json:"dnsserver,omitempty" yaml:"dnsserver,omitempty"`
Ntpserver string `xml:"ntpserver,omitempty" json:"ntpserver,omitempty" yaml:"ntpserver,omitempty"`
Staticmap []opnsense.DHCPStaticLease `xml:"staticmap,omitempty" json:"staticmap,omitempty" yaml:"staticmap,omitempty"`
// Advanced DHCP fields
AliasAddress string `xml:"alias-address,omitempty" json:"aliasAddress,omitempty" yaml:"aliasAddress,omitempty"`
AliasSubnet string `xml:"alias-subnet,omitempty" json:"aliasSubnet,omitempty" yaml:"aliasSubnet,omitempty"`
DHCPRejectFrom string `xml:"dhcprejectfrom,omitempty" json:"dhcprejectfrom,omitempty" yaml:"dhcprejectfrom,omitempty"`
// Advanced DHCP options
AdvDHCPPTTimeout string `` /* 131-byte string literal not displayed */
AdvDHCPPTRetry string `` /* 129-byte string literal not displayed */
AdvDHCPPTSelectTimeout string `` /* 137-byte string literal not displayed */
AdvDHCPPTReboot string `` /* 130-byte string literal not displayed */
AdvDHCPPTBackoffCutoff string `` /* 137-byte string literal not displayed */
AdvDHCPPTInitialInterval string `` /* 139-byte string literal not displayed */
AdvDHCPPTValues string `` /* 130-byte string literal not displayed */
AdvDHCPSendOptions string `` /* 133-byte string literal not displayed */
AdvDHCPRequestOptions string `` /* 136-byte string literal not displayed */
AdvDHCPRequiredOptions string `` /* 137-byte string literal not displayed */
AdvDHCPOptionModifiers string `` /* 137-byte string literal not displayed */
AdvDHCPConfigAdvanced string `` /* 136-byte string literal not displayed */
AdvDHCPConfigFileOverride string `` /* 140-byte string literal not displayed */
AdvDHCPConfigFileOverridePath string `` /* 144-byte string literal not displayed */
// Advanced DHCPv6 fields
Track6Interface string `` /* 167-byte string literal not displayed */
Track6PrefixID string `` /* 166-byte string literal not displayed */
AdvDHCP6InterfaceStatementSendOptions string `` /* 189-byte string literal not displayed */
AdvDHCP6InterfaceStatementRequestOptions string `` /* 192-byte string literal not displayed */
AdvDHCP6InterfaceStatementInformationOnlyEnable string `` /* 199-byte string literal not displayed */
AdvDHCP6InterfaceStatementScript string `` /* 184-byte string literal not displayed */
AdvDHCP6IDAssocStatementAddressEnable string `` /* 189-byte string literal not displayed */
AdvDHCP6IDAssocStatementAddress string `` /* 183-byte string literal not displayed */
AdvDHCP6IDAssocStatementAddressID string `` /* 185-byte string literal not displayed */
AdvDHCP6IDAssocStatementAddressPLTime string `` /* 189-byte string literal not displayed */
AdvDHCP6IDAssocStatementAddressVLTime string `` /* 189-byte string literal not displayed */
AdvDHCP6IDAssocStatementPrefixEnable string `` /* 188-byte string literal not displayed */
AdvDHCP6IDAssocStatementPrefix string `` /* 182-byte string literal not displayed */
AdvDHCP6IDAssocStatementPrefixID string `` /* 184-byte string literal not displayed */
AdvDHCP6IDAssocStatementPrefixPLTime string `` /* 188-byte string literal not displayed */
AdvDHCP6IDAssocStatementPrefixVLTime string `` /* 188-byte string literal not displayed */
AdvDHCP6PrefixInterfaceStatementSLALen string `` /* 190-byte string literal not displayed */
AdvDHCP6AuthenticationStatementAuthName string `` /* 191-byte string literal not displayed */
AdvDHCP6AuthenticationStatementProtocol string `` /* 191-byte string literal not displayed */
AdvDHCP6AuthenticationStatementAlgorithm string `` /* 192-byte string literal not displayed */
AdvDHCP6AuthenticationStatementRDM string `` /* 186-byte string literal not displayed */
AdvDHCP6KeyInfoStatementKeyName string `` /* 183-byte string literal not displayed */
AdvDHCP6KeyInfoStatementRealm string `` /* 181-byte string literal not displayed */
AdvDHCP6KeyInfoStatementKeyID string `` /* 181-byte string literal not displayed */
AdvDHCP6KeyInfoStatementSecret string `` /* 182-byte string literal not displayed */
AdvDHCP6KeyInfoStatementExpire string `` /* 182-byte string literal not displayed */
AdvDHCP6ConfigAdvanced string `` /* 174-byte string literal not displayed */
AdvDHCP6ConfigFileOverride string `` /* 178-byte string literal not displayed */
AdvDHCP6ConfigFileOverridePath string `` /* 182-byte string literal not displayed */
}
DhcpdInterface contains the DHCP server configuration for a specific pfSense interface. It is a copy-on-write fork of opnsense.DhcpdInterface with Enable changed from string to BoolFlag, because pfSense uses presence-based <enable/> elements.
func (DhcpdInterface) MarshalXML ¶
func (d DhcpdInterface) MarshalXML(e *xml.Encoder, start xml.StartElement) error
MarshalXML implements custom XML marshaling for DhcpdInterface, ensuring that the Enable BoolFlag field is addressable so (*BoolFlag).MarshalXML is invoked. Without this, direct xml.Marshal calls on DhcpdInterface values would fall back to default bool serialization instead of producing pfSense-compatible <enable/> elements. Uses a value receiver so both value and pointer marshaling work correctly.
type Diag ¶
type Diag struct {
IPv6NAT IPv6NAT `xml:"ipv6nat,omitempty" json:"ipv6nat" yaml:"ipv6nat,omitempty"`
}
Diag represents the pfSense diagnostics configuration.
type Document ¶
type Document struct {
XMLName xml.Name `xml:"pfsense" json:"-" yaml:"-"`
Version string `xml:"version,omitempty" json:"version,omitempty" yaml:"version,omitempty"`
LastChange string `xml:"lastchange,omitempty" json:"lastChange,omitempty" yaml:"lastChange,omitempty"`
System System `xml:"system,omitempty" json:"system" yaml:"system,omitempty"`
Interfaces Interfaces `xml:"interfaces,omitempty" json:"interfaces" yaml:"interfaces,omitempty"`
Dhcpd Dhcpd `xml:"dhcpd,omitempty" json:"dhcpd" yaml:"dhcpd,omitempty"`
DHCPv6Server DHCPv6 `xml:"dhcpdv6,omitempty" json:"dhcpdv6" yaml:"dhcpdv6,omitempty"`
Snmpd opnsense.Snmpd `xml:"snmpd,omitempty" json:"snmpd" yaml:"snmpd,omitempty"`
Diag Diag `xml:"diag,omitempty" json:"diag" yaml:"diag,omitempty"`
Syslog SyslogConfig `xml:"syslog,omitempty" json:"syslog" yaml:"syslog,omitempty"`
Nat Nat `xml:"nat,omitempty" json:"nat" yaml:"nat,omitempty"`
Filter Filter `xml:"filter,omitempty" json:"filter" yaml:"filter,omitempty"`
Cron Cron `xml:"cron,omitempty" json:"cron" yaml:"cron,omitempty"`
Rrd opnsense.Rrd `xml:"rrd,omitempty" json:"rrd" yaml:"rrd,omitempty"`
LoadBalancer opnsense.LoadBalancer `xml:"load_balancer,omitempty" json:"loadBalancer" yaml:"loadBalancer,omitempty"`
Widgets Widgets `xml:"widgets,omitempty" json:"widgets" yaml:"widgets,omitempty"`
OpenVPN opnsense.OpenVPN `xml:"openvpn,omitempty" json:"openvpn" yaml:"openvpn,omitempty"`
Unbound UnboundConfig `xml:"unbound,omitempty" json:"unbound" yaml:"unbound,omitempty"`
Revision opnsense.Revision `xml:"revision,omitempty" json:"revision" yaml:"revision,omitempty"`
StaticRoutes opnsense.StaticRoutes `xml:"staticroutes,omitempty" json:"staticroutes" yaml:"staticroutes,omitempty"`
PPPs opnsense.PPPInterfaces `xml:"ppps,omitempty" json:"ppps" yaml:"ppps,omitempty"`
Gateways opnsense.Gateways `xml:"gateways,omitempty" json:"gateways" yaml:"gateways,omitempty"`
CAs []opnsense.CertificateAuthority `xml:"ca,omitempty" json:"ca,omitempty" yaml:"ca,omitempty"`
Certs []opnsense.Cert `xml:"cert,omitempty" json:"cert,omitempty" yaml:"cert,omitempty"`
VLANs opnsense.VLANs `xml:"vlans,omitempty" json:"vlans" yaml:"vlans,omitempty"`
}
Document is the root of the pfSense configuration.
func NewDocument ¶
func NewDocument() *Document
NewDocument returns a new Document with all slice and map fields initialized for safe use.
func (*Document) FilterRules ¶
func (p *Document) FilterRules() []FilterRule
FilterRules returns a slice of all firewall filter rules configured in the system.
type Filter ¶
type Filter struct {
Separator string `xml:"separator,omitempty" json:"separator,omitempty" yaml:"separator,omitempty"`
Rule []FilterRule `xml:"rule" json:"rules,omitempty" yaml:"rules,omitempty"`
}
Filter represents the pfSense firewall filter configuration.
type FilterRule ¶
type FilterRule struct {
XMLName xml.Name `xml:"rule"`
Type string `xml:"type" json:"type" yaml:"type"`
Descr string `xml:"descr,omitempty" json:"description,omitempty" yaml:"description,omitempty"`
Interface opnsense.InterfaceList `xml:"interface,omitempty" json:"interface,omitempty" yaml:"interface,omitempty"`
IPProtocol string `xml:"ipprotocol,omitempty" json:"ipProtocol,omitempty" yaml:"ipProtocol,omitempty"`
StateType string `xml:"statetype,omitempty" json:"stateType,omitempty" yaml:"stateType,omitempty"`
Direction string `xml:"direction,omitempty" json:"direction,omitempty" yaml:"direction,omitempty"`
Floating string `xml:"floating,omitempty" json:"floating,omitempty" yaml:"floating,omitempty"`
Quick opnsense.BoolFlag `xml:"quick,omitempty" json:"quick" yaml:"quick,omitempty"`
Protocol string `xml:"protocol,omitempty" json:"protocol,omitempty" yaml:"protocol,omitempty"`
Source opnsense.Source `xml:"source" json:"source" yaml:"source"`
Destination opnsense.Destination `xml:"destination" json:"destination" yaml:"destination"`
Target string `xml:"target,omitempty" json:"target,omitempty" yaml:"target,omitempty"`
Gateway string `xml:"gateway,omitempty" json:"gateway,omitempty" yaml:"gateway,omitempty"`
SourcePort string `xml:"sourceport,omitempty" json:"sourcePort,omitempty" yaml:"sourcePort,omitempty"`
Log opnsense.BoolFlag `xml:"log,omitempty" json:"log" yaml:"log,omitempty"`
Disabled opnsense.BoolFlag `xml:"disabled,omitempty" json:"disabled" yaml:"disabled,omitempty"`
Tracker string `xml:"tracker,omitempty" json:"tracker,omitempty" yaml:"tracker,omitempty"`
// Rate-limiting fields (DoS protection)
MaxSrcNodes string `xml:"max-src-nodes,omitempty" json:"maxSrcNodes,omitempty" yaml:"maxSrcNodes,omitempty"`
MaxSrcConn string `xml:"max-src-conn,omitempty" json:"maxSrcConn,omitempty" yaml:"maxSrcConn,omitempty"`
MaxSrcConnRate string `xml:"max-src-conn-rate,omitempty" json:"maxSrcConnRate,omitempty" yaml:"maxSrcConnRate,omitempty"`
MaxSrcConnRates string `xml:"max-src-conn-rates,omitempty" json:"maxSrcConnRates,omitempty" yaml:"maxSrcConnRates,omitempty"`
// TCP/ICMP fields
TCPFlags1 string `xml:"tcpflags1,omitempty" json:"tcpFlags1,omitempty" yaml:"tcpFlags1,omitempty"`
TCPFlags2 string `xml:"tcpflags2,omitempty" json:"tcpFlags2,omitempty" yaml:"tcpFlags2,omitempty"`
TCPFlagsAny opnsense.BoolFlag `xml:"tcpflags_any,omitempty" json:"tcpFlagsAny" yaml:"tcpFlagsAny,omitempty"`
ICMPType string `xml:"icmptype,omitempty" json:"icmpType,omitempty" yaml:"icmpType,omitempty"`
ICMP6Type string `xml:"icmp6-type,omitempty" json:"icmp6Type,omitempty" yaml:"icmp6Type,omitempty"`
// State and advanced fields
StateTimeout string `xml:"statetimeout,omitempty" json:"stateTimeout,omitempty" yaml:"stateTimeout,omitempty"`
AllowOpts opnsense.BoolFlag `xml:"allowopts,omitempty" json:"allowOpts" yaml:"allowOpts,omitempty"`
DisableReplyTo opnsense.BoolFlag `xml:"disablereplyto,omitempty" json:"disableReplyTo" yaml:"disableReplyTo,omitempty"`
NoPfSync opnsense.BoolFlag `xml:"nopfsync,omitempty" json:"noPfSync" yaml:"noPfSync,omitempty"`
NoSync opnsense.BoolFlag `xml:"nosync,omitempty" json:"noSync" yaml:"noSync,omitempty"`
Updated *opnsense.Updated `xml:"updated,omitempty" json:"updated,omitempty" yaml:"updated,omitempty"`
Created *opnsense.Created `xml:"created,omitempty" json:"created,omitempty" yaml:"created,omitempty"`
UUID string `xml:"uuid,attr,omitempty" json:"uuid,omitempty" yaml:"uuid,omitempty"`
// pfSense-specific fields
ID string `xml:"id,omitempty" json:"id,omitempty" yaml:"id,omitempty"`
Tag string `xml:"tag,omitempty" json:"tag,omitempty" yaml:"tag,omitempty"`
Tagged string `xml:"tagged,omitempty" json:"tagged,omitempty" yaml:"tagged,omitempty"`
Max string `xml:"max,omitempty" json:"max,omitempty" yaml:"max,omitempty"`
MaxSrcStates string `xml:"max-src-states,omitempty" json:"maxSrcStates,omitempty" yaml:"maxSrcStates,omitempty"`
OS string `xml:"os,omitempty" json:"os,omitempty" yaml:"os,omitempty"`
AssociatedRuleID string `xml:"associated-rule-id,omitempty" json:"associatedRuleID,omitempty" yaml:"associatedRuleID,omitempty"`
}
FilterRule represents a pfSense firewall rule. It extends the base OPNsense Rule fields with pfSense-specific attributes such as rule ID, pf tags, state limits, OS fingerprinting, and NAT association.
type Group ¶
type Group struct {
Name string `xml:"name" json:"name" yaml:"name"`
Description string `xml:"description" json:"description,omitempty" yaml:"description,omitempty"`
Scope string `xml:"scope" json:"scope" yaml:"scope"`
//nolint:staticcheck // Field name matches pfSense schema
Gid string `xml:"gid" json:"gid" yaml:"gid"`
Member []string `xml:"member" json:"members,omitempty" yaml:"members,omitempty"`
Priv []string `xml:"priv" json:"privileges,omitempty" yaml:"privileges,omitempty"`
}
Group represents a pfSense group. Forked from opnsense.Group because pfSense supports multiple <priv> elements per group (copy-on-write per AGENTS.md §6.1).
type IPv6NAT ¶
type IPv6NAT struct {
IPAddr string `xml:"ipaddr,omitempty" json:"ipaddr,omitempty" yaml:"ipaddr,omitempty"`
}
IPv6NAT represents the pfSense IPv6 NAT diagnostics configuration.
type InboundRule ¶
type InboundRule struct {
XMLName xml.Name `xml:"rule"`
Interface opnsense.InterfaceList `xml:"interface,omitempty" json:"interface,omitempty" yaml:"interface,omitempty"`
IPProtocol string `xml:"ipprotocol,omitempty" json:"ipProtocol,omitempty" yaml:"ipProtocol,omitempty"`
Protocol string `xml:"protocol,omitempty" json:"protocol,omitempty" yaml:"protocol,omitempty"`
Source opnsense.Source `xml:"source" json:"source" yaml:"source"`
Destination opnsense.Destination `xml:"destination" json:"destination" yaml:"destination"`
ExternalPort string `xml:"externalport,omitempty" json:"externalPort,omitempty" yaml:"externalPort,omitempty"`
Target string `xml:"target,omitempty" json:"target,omitempty" yaml:"target,omitempty"`
InternalIP string `xml:"internalip,omitempty" json:"internalIP,omitempty" yaml:"internalIP,omitempty"`
InternalPort string `xml:"internalport,omitempty" json:"internalPort,omitempty" yaml:"internalPort,omitempty"`
LocalPort string `xml:"local-port,omitempty" json:"localPort,omitempty" yaml:"localPort,omitempty"`
Reflection string `xml:"reflection,omitempty" json:"reflection,omitempty" yaml:"reflection,omitempty"`
NATReflection string `xml:"natreflection,omitempty" json:"natReflection,omitempty" yaml:"natReflection,omitempty"`
AssociatedRuleID string `xml:"associated-rule-id,omitempty" json:"associatedRuleID,omitempty" yaml:"associatedRuleID,omitempty"`
Priority int `xml:"priority,omitempty" json:"priority,omitempty" yaml:"priority,omitempty"`
NoRDR opnsense.BoolFlag `xml:"nordr,omitempty" json:"noRDR,omitempty" yaml:"noRDR,omitempty"`
NoSync opnsense.BoolFlag `xml:"nosync,omitempty" json:"noSync,omitempty" yaml:"noSync,omitempty"`
Disabled opnsense.BoolFlag `xml:"disabled,omitempty" json:"disabled,omitempty" yaml:"disabled,omitempty"`
Log opnsense.BoolFlag `xml:"log,omitempty" json:"log,omitempty" yaml:"log,omitempty"`
Descr string `xml:"descr,omitempty" json:"description,omitempty" yaml:"description,omitempty"`
Updated *opnsense.Updated `xml:"updated,omitempty" json:"updated,omitempty" yaml:"updated,omitempty"`
Created *opnsense.Created `xml:"created,omitempty" json:"created,omitempty" yaml:"created,omitempty"`
UUID string `xml:"uuid,attr,omitempty" json:"uuid,omitempty" yaml:"uuid,omitempty"`
}
InboundRule represents a pfSense inbound NAT rule (port forwarding). This is a copy-on-write fork of opnsense.InboundRule because pfSense uses a <target> element for the internal redirect IP, whereas OPNsense uses <internalip>.
type Interface ¶
type Interface struct {
Enable opnsense.BoolFlag `xml:"enable,omitempty" json:"enable,omitempty" yaml:"enable,omitempty"`
If string `xml:"if,omitempty" json:"if,omitempty" yaml:"if,omitempty"`
Descr string `xml:"descr,omitempty" json:"descr,omitempty" yaml:"descr,omitempty"`
Spoofmac string `xml:"spoofmac,omitempty" json:"spoofmac,omitempty" yaml:"spoofmac,omitempty"`
InternalDynamic int `xml:"internal_dynamic,omitempty" json:"internalDynamic,omitempty" yaml:"internalDynamic,omitempty"`
Type string `xml:"type,omitempty" json:"type,omitempty" yaml:"type,omitempty"`
Virtual int `xml:"virtual,omitempty" json:"virtual,omitempty" yaml:"virtual,omitempty"`
Lock int `xml:"lock,omitempty" json:"lock,omitempty" yaml:"lock,omitempty"`
MTU string `xml:"mtu,omitempty" json:"mtu,omitempty" yaml:"mtu,omitempty"`
IPAddr string `xml:"ipaddr,omitempty" json:"ipaddr,omitempty" yaml:"ipaddr,omitempty"`
IPAddrv6 string `xml:"ipaddrv6,omitempty" json:"ipaddrv6,omitempty" yaml:"ipaddrv6,omitempty"`
Subnet string `xml:"subnet,omitempty" json:"subnet,omitempty" yaml:"subnet,omitempty"`
Subnetv6 string `xml:"subnetv6,omitempty" json:"subnetv6,omitempty" yaml:"subnetv6,omitempty"`
Gateway string `xml:"gateway,omitempty" json:"gateway,omitempty" yaml:"gateway,omitempty"`
Gatewayv6 string `xml:"gatewayv6,omitempty" json:"gatewayv6,omitempty" yaml:"gatewayv6,omitempty"`
BlockPriv string `xml:"blockpriv,omitempty" json:"blockpriv,omitempty" yaml:"blockpriv,omitempty"`
BlockBogons string `xml:"blockbogons,omitempty" json:"blockbogons,omitempty" yaml:"blockbogons,omitempty"`
DHCPHostname string `xml:"dhcphostname,omitempty" json:"dhcphostname,omitempty" yaml:"dhcphostname,omitempty"`
Media string `xml:"media,omitempty" json:"media,omitempty" yaml:"media,omitempty"`
MediaOpt string `xml:"mediaopt,omitempty" json:"mediaopt,omitempty" yaml:"mediaopt,omitempty"`
DHCP6IaPdLen int `xml:"dhcp6-ia-pd-len,omitempty" json:"dhcp6IaPdLen,omitempty" yaml:"dhcp6IaPdLen,omitempty"`
Track6Interface string `xml:"track6-interface,omitempty" json:"track6Interface,omitempty" yaml:"track6Interface,omitempty"`
Track6PrefixID string `xml:"track6-prefix-id,omitempty" json:"track6PrefixId,omitempty" yaml:"track6PrefixId,omitempty"`
AliasAddress string `xml:"alias-address,omitempty" json:"aliasAddress,omitempty" yaml:"aliasAddress,omitempty"`
AliasSubnet string `xml:"alias-subnet,omitempty" json:"aliasSubnet,omitempty" yaml:"aliasSubnet,omitempty"`
DHCPRejectFrom string `xml:"dhcprejectfrom,omitempty" json:"dhcprejectfrom,omitempty" yaml:"dhcprejectfrom,omitempty"`
DDNSDomainAlgorithm string `xml:"ddnsdomainalgorithm,omitempty" json:"ddnsdomainalgorithm,omitempty" yaml:"ddnsdomainalgorithm,omitempty"`
NumberOptions []opnsense.DhcpOption `xml:"numberoptions,omitempty" json:"numberoptions,omitempty" yaml:"numberoptions,omitempty"`
Range opnsense.DhcpRange `xml:"range,omitempty" json:"range" yaml:"range,omitempty"`
Winsserver string `xml:"winsserver,omitempty" json:"winsserver,omitempty" yaml:"winsserver,omitempty"`
Dnsserver string `xml:"dnsserver,omitempty" json:"dnsserver,omitempty" yaml:"dnsserver,omitempty"`
Ntpserver string `xml:"ntpserver,omitempty" json:"ntpserver,omitempty" yaml:"ntpserver,omitempty"`
// Advanced DHCP fields for interfaces
AdvDHCPRequestOptions string `` /* 158-byte string literal not displayed */
AdvDHCPRequiredOptions string `` /* 159-byte string literal not displayed */
AdvDHCP6InterfaceStatementRequestOptions string `` /* 177-byte string literal not displayed */
AdvDHCP6ConfigFileOverride string `` /* 163-byte string literal not displayed */
AdvDHCP6IDAssocStatementPrefixPLTime string `` /* 173-byte string literal not displayed */
}
Interface represents a pfSense network interface configuration. It is a copy-on-write fork of opnsense.Interface with Enable changed from string to BoolFlag, because pfSense uses presence-based <enable/> elements.
func (Interface) MarshalXML ¶
MarshalXML implements custom XML marshaling for Interface, ensuring that the Enable BoolFlag field is addressable so (*BoolFlag).MarshalXML is invoked. Without this, direct xml.Marshal calls on Interface values would fall back to default bool serialization instead of producing pfSense-compatible <enable/> elements. Uses a value receiver so both value and pointer marshaling work correctly.
type Interfaces ¶
type Interfaces struct {
Items map[string]Interface `xml:",any" json:"interfaces,omitempty" yaml:"interfaces,omitempty"`
}
Interfaces contains the network interface configurations for a pfSense device. Uses a map-based representation where keys are interface identifiers (wan, lan, opt0, etc.).
func (*Interfaces) Get ¶
func (i *Interfaces) Get(key string) (Interface, bool)
Get returns an interface configuration by its key name (e.g., "wan", "lan", "opt0"). Returns the interface configuration and a boolean indicating if it was found.
func (*Interfaces) Lan ¶
func (i *Interfaces) Lan() (Interface, bool)
Lan returns the LAN interface if it exists, otherwise returns a zero-value Interface and false.
func (*Interfaces) MarshalXML ¶
func (i *Interfaces) MarshalXML(e *xml.Encoder, start xml.StartElement) error
MarshalXML implements custom XML marshaling for the Interfaces map.
func (*Interfaces) Names ¶
func (i *Interfaces) Names() []string
Names returns a sorted list of all interface names.
func (*Interfaces) UnmarshalXML ¶
func (i *Interfaces) UnmarshalXML(decoder *xml.Decoder, start xml.StartElement) error
UnmarshalXML implements custom XML unmarshaling for the Interfaces map.
func (*Interfaces) Wan ¶
func (i *Interfaces) Wan() (Interface, bool)
Wan returns the WAN interface if it exists, otherwise returns a zero-value Interface and false.
type Nat ¶
type Nat struct {
Outbound opnsense.Outbound `xml:"outbound" json:"outbound" yaml:"outbound"`
Inbound []InboundRule `xml:"rule" json:"inbound,omitempty" yaml:"inbound,omitempty"`
Separator string `xml:"separator,omitempty" json:"separator,omitempty" yaml:"separator,omitempty"`
}
Nat represents the pfSense NAT configuration. The key structural difference from OPNsense is that inbound (port-forward) rules are direct children of <nat> rather than nested under <nat><inbound>.
type SyslogConfig ¶
type SyslogConfig struct {
FilterDescriptions string `xml:"filterdescriptions,omitempty" json:"filterDescriptions,omitempty" yaml:"filterDescriptions,omitempty"`
}
SyslogConfig represents the pfSense syslog configuration. It differs from OPNsense by including a filterdescriptions field.
type System ¶
type System struct {
Optimization string `xml:"optimization" json:"optimization,omitempty" yaml:"optimization,omitempty"`
Hostname string `xml:"hostname" json:"hostname" yaml:"hostname"`
Domain string `xml:"domain" json:"domain" yaml:"domain"`
DNSAllowOverride int `xml:"dnsallowoverride" json:"dnsAllowOverride,omitempty" yaml:"dnsAllowOverride,omitempty"`
DNSServers []string `xml:"dnsserver" json:"dnsServers,omitempty" yaml:"dnsServers,omitempty"`
DNS1GW string `xml:"dns1gw,omitempty" json:"dns1gw,omitempty" yaml:"dns1gw,omitempty"`
DNS2GW string `xml:"dns2gw,omitempty" json:"dns2gw,omitempty" yaml:"dns2gw,omitempty"`
Language string `xml:"language" json:"language,omitempty" yaml:"language,omitempty"`
Group []Group `xml:"group" json:"groups,omitempty" yaml:"groups,omitempty"`
User []User `xml:"user" json:"users,omitempty" yaml:"users,omitempty"`
WebGUI WebGUI `xml:"webgui" json:"webgui" yaml:"webgui,omitempty"`
SSH opnsense.SSHConfig `xml:"ssh" json:"ssh" yaml:"ssh,omitempty"`
Timezone string `xml:"timezone" json:"timezone,omitempty" yaml:"timezone,omitempty"`
TimeServers string `xml:"timeservers" json:"timeServers,omitempty" yaml:"timeServers,omitempty"`
DisableNATReflection string `` /* 127-byte string literal not displayed */
DisableSegmentationOffloading int `` /* 136-byte string literal not displayed */
DisableLargeReceiveOffloading int `` /* 136-byte string literal not displayed */
IPv6Allow string `xml:"ipv6allow" json:"ipv6Allow,omitempty" yaml:"ipv6Allow,omitempty"`
MaximumTableEntries string `` /* 126-byte string literal not displayed */
CryptoHardware string `xml:"crypto_hardware,omitempty" json:"cryptoHardware,omitempty" yaml:"cryptoHardware,omitempty"`
EnableSerial opnsense.BoolFlag `xml:"enableserial,omitempty" json:"enableSerial" yaml:"enableSerial,omitempty"`
AlreadyRunConfigUpgrade opnsense.BoolFlag `` /* 130-byte string literal not displayed */
NextUID int `xml:"nextuid" json:"nextUid,omitempty" yaml:"nextUid,omitempty"`
NextGID int `xml:"nextgid" json:"nextGid,omitempty" yaml:"nextGid,omitempty"`
PowerdACMode string `xml:"powerd_ac_mode" json:"powerdAcMode,omitempty" yaml:"powerdAcMode,omitempty"`
PowerdBatteryMode string `xml:"powerd_battery_mode" json:"powerdBatteryMode,omitempty" yaml:"powerdBatteryMode,omitempty"`
PowerdNormalMode string `xml:"powerd_normal_mode" json:"powerdNormalMode,omitempty" yaml:"powerdNormalMode,omitempty"`
Bogons struct {
Interval string `xml:"interval" json:"interval,omitempty" yaml:"interval,omitempty"`
} `xml:"bogons" json:"bogons" yaml:"bogons,omitempty"`
}
System contains the pfSense system configuration. It mirrors the OPNsense System struct but with pfSense-specific differences: multiple DNS servers, bcrypt-hash user passwords, and additional system fields.
type UnboundConfig ¶
type UnboundConfig struct {
Enable opnsense.BoolFlag `xml:"enable,omitempty" json:"enable" yaml:"enable,omitempty"`
DNSSEC opnsense.BoolFlag `xml:"dnssec,omitempty" json:"dnssec" yaml:"dnssec,omitempty"`
ActiveInterface string `xml:"active_interface,omitempty" json:"activeInterface,omitempty" yaml:"activeInterface,omitempty"`
OutgoingInterface string `xml:"outgoing_interface,omitempty" json:"outgoingInterface,omitempty" yaml:"outgoingInterface,omitempty"`
CustomOptions string `xml:"custom_options,omitempty" json:"customOptions,omitempty" yaml:"customOptions,omitempty"`
HideIdentity opnsense.BoolFlag `xml:"hideidentity,omitempty" json:"hideIdentity" yaml:"hideIdentity,omitempty"`
HideVersion opnsense.BoolFlag `xml:"hideversion,omitempty" json:"hideVersion" yaml:"hideVersion,omitempty"`
DNSSECStripped opnsense.BoolFlag `xml:"dnssecstripped,omitempty" json:"dnssecStripped" yaml:"dnssecStripped,omitempty"`
Port string `xml:"port,omitempty" json:"port,omitempty" yaml:"port,omitempty"`
SSLPort string `xml:"sslport,omitempty" json:"sslPort,omitempty" yaml:"sslPort,omitempty"`
SSLCertRef string `xml:"sslcertref,omitempty" json:"sslCertRef,omitempty" yaml:"sslCertRef,omitempty"`
SystemDomainLocalZoneType string `` /* 131-byte string literal not displayed */
}
UnboundConfig represents the pfSense Unbound DNS resolver configuration. It includes more fields than the OPNsense Unbound type, covering interface bindings, security options, and port configuration.
type User ¶
type User struct {
Name string `xml:"name" json:"name" yaml:"name"`
Disabled opnsense.BoolFlag `xml:"disabled" json:"disabled" yaml:"disabled"`
Descr string `xml:"descr" json:"description,omitempty" yaml:"description,omitempty"`
Scope string `xml:"scope" json:"scope" yaml:"scope"`
Groupname string `xml:"groupname" json:"groupname" yaml:"groupname"`
BcryptHash string `xml:"bcrypt-hash" json:"bcryptHash" yaml:"bcryptHash"`
UID string `xml:"uid" json:"uid" yaml:"uid"`
Priv []string `xml:"priv,omitempty" json:"priv,omitempty" yaml:"priv,omitempty"`
Expires string `xml:"expires" json:"expires,omitempty" yaml:"expires,omitempty"`
AuthorizedKeys string `xml:"authorizedkeys" json:"authorizedKeys,omitempty" yaml:"authorizedKeys,omitempty"`
}
User represents a pfSense user. The critical difference from OPNsense is the use of bcrypt-hash instead of password, and user-level privileges via the Priv field.
type WebGUI ¶
type WebGUI struct {
Protocol string `xml:"protocol" json:"protocol" yaml:"protocol"`
SSLCertRef string `xml:"ssl-certref,omitempty" json:"sslCertRef,omitempty" yaml:"sslCertRef,omitempty"`
LoginAutocomplete opnsense.BoolFlag `xml:"loginautocomplete,omitempty" json:"loginAutocomplete" yaml:"loginAutocomplete,omitempty"`
MaxProcesses string `xml:"max_procs,omitempty" json:"maxProcesses,omitempty" yaml:"maxProcesses,omitempty"`
DashboardColumns string `xml:"dashboardcolumns,omitempty" json:"dashboardColumns,omitempty" yaml:"dashboardColumns,omitempty"`
WebGUICSS string `xml:"webguicss,omitempty" json:"webguiCss,omitempty" yaml:"webguiCss,omitempty"`
LoginCSS string `xml:"logincss,omitempty" json:"loginCss,omitempty" yaml:"loginCss,omitempty"`
AltHostnames string `xml:"althostnames,omitempty" json:"altHostnames,omitempty" yaml:"altHostnames,omitempty"`
}
WebGUI represents the pfSense WebGUI configuration. It extends the OPNsense WebGUIConfig with pfSense-specific fields such as dashboard columns, CSS theme, login CSS, and alternate hostnames.
type Widgets ¶
type Widgets struct {
Sequence string `xml:"sequence,omitempty" json:"sequence,omitempty" yaml:"sequence,omitempty"`
ColumnCount string `xml:"column_count,omitempty" json:"columnCount,omitempty" yaml:"columnCount,omitempty"`
Period string `xml:"period,omitempty" json:"period,omitempty" yaml:"period,omitempty"`
}
Widgets represents the pfSense dashboard widgets configuration. It extends the OPNsense Widgets with a pfSense-specific refresh period field.
Source Files
Click to show internal directories.
Click to hide internal directories.