From 752795a22996eddbe8dcef88298555d83f12ce9b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 28 Dec 2024 19:45:07 +0100
Subject: [PATCH] Firewall: Automation: Filter - add tcpflags1,tcpflags2 for
 https://github.com/opnsense/core/issues/8143

---
 .../Firewall/forms/dialogFilterRule.xml       | 14 ++++++++++
 .../app/models/OPNsense/Firewall/Filter.php   |  8 +++++-
 .../app/models/OPNsense/Firewall/Filter.xml   | 26 +++++++++++++++++++
 3 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
index a9a0802fba..48556fe283 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@@ -134,6 +134,20 @@
         <type>checkbox</type>
         <help>Log packets that are handled by this rule</help>
     </field>
+    <field>
+        <id>rule.tcpflags1</id>
+        <label>TCP flags</label>
+        <type>select_multiple</type>
+        <help>Use this to choose TCP flags that must be set this rule to match.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>rule.tcpflags2</id>
+        <label>TCP flags [out of]</label>
+        <type>select_multiple</type>
+        <help>Use this to choose TCP flags that must be cleared for this rule to match.</help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <type>header</type>
         <label>Stateful firewall</label>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index 3d1b2c55c6..e174040775 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -132,7 +132,7 @@ public function performValidation($validateFullModel = false)
                         }
                     }
                     if (!in_array($rule->protocol, ['TCP', 'TCP/UDP'])) {
-                        foreach (['statetimeout', 'max-src-conn'] as $fieldname) {
+                        foreach (['statetimeout', 'max-src-conn', 'tcpflags1', 'tcpflags2'] as $fieldname) {
                             if (!empty((string)$rule->$fieldname)) {
                                 $messages->appendMessage(new Message(
                                     gettext("Invalid option for other than TCP protocol choices."),
@@ -141,6 +141,12 @@ public function performValidation($validateFullModel = false)
                             }
                         }
                     }
+                    if (!empty((string)$rule->tcpflags1) && empty((string)$rule->tcpflags2)) {
+                        $messages->appendMessage(new Message(
+                            gettext("If you specify TCP flags that should be set you should specify out of which flags as well."),
+                            $rule->tcpflags2->__reference
+                        ));
+                    }
                     if (empty((string)$rule->max) && ($rule->adaptivestart == '0' || $rule->adaptiveend == '0')) {
                         $messages->appendMessage(new Message(
                             gettext('Disabling adaptive timeouts is only supported in ".
diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index a3726ab09f..9678f61921 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -209,6 +209,32 @@
                 <tagged type="TextField">
                     <Mask>/^([0-9a-zA-Z.,_\-]){0,512}$/u</Mask>
                 </tagged>
+                <tcpflags1 type="OptionField">
+                    <Multiple>Y</Multiple>
+                    <OptionValues>
+                        <syn>syn</syn>
+                        <ack>ack</ack>
+                        <fin>fin</fin>
+                        <rst>rst</rst>
+                        <psh>psh</psh>
+                        <urg>urg</urg>
+                        <ece>ece</ece>
+                        <cwr>cwr</cwr>
+                    </OptionValues>
+                </tcpflags1>
+                <tcpflags2 type="OptionField">
+                    <Multiple>Y</Multiple>
+                    <OptionValues>
+                        <syn>syn</syn>
+                        <ack>ack</ack>
+                        <fin>fin</fin>
+                        <rst>rst</rst>
+                        <psh>psh</psh>
+                        <urg>urg</urg>
+                        <ece>ece</ece>
+                        <cwr>cwr</cwr>
+                    </OptionValues>
+                </tcpflags2>
                 <categories type="ModelRelationField">
                     <Model>
                         <rulesets>