From 92789c527863445acfa3171765bb7e14ab4feb84 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 28 Dec 2024 18:59:49 +0100
Subject: [PATCH] Firewall: Automation: Filter - add tag, tagged for
 https://github.com/opnsense/core/issues/8143

---
 .../Firewall/forms/dialogFilterRule.xml       | 25 +++++++++++++++++++
 .../app/models/OPNsense/Firewall/Filter.xml   |  6 +++++
 2 files changed, 31 insertions(+)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
index d647d71d66..8547513a5b 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@@ -243,6 +243,7 @@
     <field>
         <type>header</type>
         <label>Packet mangling</label>
+        <collapse>true</collapse>
     </field>
     <field>
         <id>rule.set-prio</id>
@@ -264,4 +265,28 @@
             data payload will be assigned this priority when offered.
         </help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Internal tagging</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>rule.tag</id>
+        <label>Set local tag</label>
+        <type>text</type>
+        <help>
+            Packets matching this rule will be tagged with the specified string.
+            The tag acts as an internal marker that can be used to identify these packets later on.
+            This can be used, for example, to provide trust between interfaces and to determine if packets have
+            been processed by translation rules.  Tags are "sticky", meaning that the packet will be tagged even
+            if the rule is not the last matching rule.  Further matching rules can replace the tag with a
+            new one but will not remove a previously applied tag.  A packet is only ever assigned one tag at a time.
+        </help>
+    </field>
+    <field>
+        <id>rule.tagged</id>
+        <label>Match local tag</label>
+        <type>text</type>
+        <help>Used to specify that packets must already be tagged with the given tag in order to match the rule.</help>
+    </field>
 </form>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index ef4b624d97..b68b77c20f 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -190,6 +190,12 @@
                         <opt7 value="7">Network Control (7, highest)</opt7>
                     </OptionValues>
                 </set-prio-low>
+                <tag type="TextField">
+                    <Mask>/^([0-9a-zA-Z.,_\-]){0,512}$/u</Mask>
+                </tag>
+                <tagged type="TextField">
+                    <Mask>/^([0-9a-zA-Z.,_\-]){0,512}$/u</Mask>
+                </tagged>
                 <categories type="ModelRelationField">
                     <Model>
                         <rulesets>