Firewall: Automation: Filter - add 'statetimeout' and validations for #…

…8143 Although this component is mainly used for api access, experiment a bit further with the inpu dialog as well.
opnsense · Dec 24, 2024 · d07e3c6 · d07e3c6
1 parent 3cbea52
commit d07e3c6
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 4 deletions.
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@@ -128,10 +128,8 @@
         <help>Log packets that are handled by this rule</help>
     </field>
     <field>
-        <id>rule.nopfsync</id>
-        <label>NO pfsync</label>
-        <type>checkbox</type>
-        <help>Hint: This prevents states created by this rule to be sync'ed over pfsync.</help>
+        <type>header</type>
+        <label>Stateful firewall</label>
     </field>
     <field>
         <id>rule.statetype</id>
@@ -149,6 +147,19 @@
             Interface bound states are more secure, floating more flexible
         </help>
     </field>
+    <field>
+        <id>rule.statetimeout</id>
+        <label>State timeout</label>
+        <type>text</type>
+        <help>State Timeout in seconds (TCP only)</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>rule.nopfsync</id>
+        <label>NO pfsync</label>
+        <type>checkbox</type>
+        <help>Hint: This prevents states created by this rule to be sync'ed over pfsync.</help>
+    </field>
     <field>
         <type>header</type>
         <label>Source routing</label>

diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -118,6 +118,18 @@ public function performValidation($validateFullModel = false)
                             $rule->interfacenot->__reference
                         ));
                     }
+                    if ($rule->statetype == 'none' && !empty((string)$rule->statetimeout)) {
+                        $messages->appendMessage(new Message(
+                            gettext("You cannot specify the state timeout (advanced option) if statetype is none."),
+                            $rule->statetimeout->__reference
+                        ));
+                    }
+                    if (!in_array($rule->protocol, ['TCP', 'TCP/UDP']) && !empty((string)$rule->statetimeout)) {
+                        $messages->appendMessage(new Message(
+                            gettext("You can only specify the state timeout (advanced option) for TCP protocol."),
+                            $rule->statetimeout->__reference
+                        ));
+                    }
                 }
             }
         }

diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -139,6 +139,10 @@
                     <Default>0</Default>
                     <Required>Y</Required>
                 </nopfsync>
+                <statetimeout type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>65536</MaximumValue>
+                </statetimeout>
                 <categories type="ModelRelationField">
                     <Model>
                         <rulesets>