Firewall: Automation: Filter - add tcpflags1,tcpflags2 for #8143

src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml

@@ -134,6 +134,20 @@
         <type>checkbox</type>
         <help>Log packets that are handled by this rule</help>
     </field>
+    <field>
+        <id>rule.tcpflags1</id>
+        <label>TCP flags</label>
+        <type>select_multiple</type>
+        <help>Use this to choose TCP flags that must be set this rule to match.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>rule.tcpflags2</id>
+        <label>TCP flags [out of]</label>
+        <type>select_multiple</type>
+        <help>Use this to choose TCP flags that must be cleared for this rule to match.</help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <type>header</type>
         <label>Stateful firewall</label>

src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php

@@ -132,7 +132,7 @@ public function performValidation($validateFullModel = false)
                         }
                     }
                     if (!in_array($rule->protocol, ['TCP', 'TCP/UDP'])) {
-                        foreach (['statetimeout', 'max-src-conn'] as $fieldname) {
+                        foreach (['statetimeout', 'max-src-conn', 'tcpflags1', 'tcpflags2'] as $fieldname) {
                             if (!empty((string)$rule->$fieldname)) {
                                 $messages->appendMessage(new Message(
                                     gettext("Invalid option for other than TCP protocol choices."),
@@ -141,6 +141,12 @@ public function performValidation($validateFullModel = false)
                             }
                         }
                     }
+                    if (!empty((string)$rule->tcpflags1) && empty((string)$rule->tcpflags2)) {
+                        $messages->appendMessage(new Message(
+                            gettext("If you specify TCP flags that should be set you should specify out of which flags as well."),
+                            $rule->tcpflags2->__reference
+                        ));
+                    }
                     if (empty((string)$rule->max) && ($rule->adaptivestart == '0' || $rule->adaptiveend == '0')) {
                         $messages->appendMessage(new Message(
                             gettext('Disabling adaptive timeouts is only supported in ".

src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml

@@ -209,6 +209,32 @@
                 <tagged type="TextField">
                     <Mask>/^([0-9a-zA-Z.,_\-]){0,512}$/u</Mask>
                 </tagged>
+                <tcpflags1 type="OptionField">
+                    <Multiple>Y</Multiple>
+                    <OptionValues>
+                        <syn>syn</syn>
+                        <ack>ack</ack>
+                        <fin>fin</fin>
+                        <rst>rst</rst>
+                        <psh>psh</psh>
+                        <urg>urg</urg>
+                        <ece>ece</ece>
+                        <cwr>cwr</cwr>
+                    </OptionValues>
+                </tcpflags1>
+                <tcpflags2 type="OptionField">
+                    <Multiple>Y</Multiple>
+                    <OptionValues>
+                        <syn>syn</syn>
+                        <ack>ack</ack>
+                        <fin>fin</fin>
+                        <rst>rst</rst>
+                        <psh>psh</psh>
+                        <urg>urg</urg>
+                        <ece>ece</ece>
+                        <cwr>cwr</cwr>
+                    </OptionValues>
+                </tcpflags2>
                 <categories type="ModelRelationField">
                     <Model>
                         <rulesets>