From 09eec2755b5e8af08d5b2b2ec561b5a67973f0c3 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 19 Sep 2020 17:18:55 +0200
Subject: [PATCH] Firewall / scrubbing: fix two parsing bugs:

o port aliases not being prefixed with $
o special proto type "tcp/udp" not translated to {tcp udp}

closes https://github.com/opnsense/core/issues/4363
---
 src/etc/inc/filter.inc | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index 2d768a898..0f46f8188 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -612,7 +612,16 @@ function filter_generate_scrubing(&$FilterIflist)
                     }
                 }
                 $scrub_rule_out .= count($interfaces) > 1 ? "{ " . implode(' ', $interfaces) . " } " : $interfaces[0];
-                $scrub_rule_out .= $scrub_rule['proto'] != 'any' ? " proto " . $scrub_rule['proto'] : "";
+                switch ($scrub_rule['proto']) {
+                    case 'any':
+                        break;
+                    case 'tcp/udp':
+                        $scrub_rule_out .= " proto {tcp udp}";
+                        break;
+                    default:
+                        $scrub_rule_out .= " proto " . $scrub_rule['proto'];
+                        break;
+                }
                 $scrub_rule_out .= " from ";
                 if (is_alias($scrub_rule['src'])) {
                     $scrub_rule_out .= !empty($scrub_rule['srcnot']) ? "!" : "";
@@ -623,7 +632,11 @@ function filter_generate_scrubing(&$FilterIflist)
                 } else {
                     $scrub_rule_out .= "any";
                 }
-                $scrub_rule_out .= !empty($scrub_rule['srcport']) ?  " port " . $scrub_rule['srcport'] : "";
+                if (!empty($scrub_rule['srcport']) && is_alias($scrub_rule['srcport'])) {
+                    $scrub_rule_out .=  " port $" . $scrub_rule['srcport'];
+                } else {
+                    $scrub_rule_out .= !empty($scrub_rule['srcport']) ?  " port " . $scrub_rule['srcport'] : "";
+                }
                 $scrub_rule_out .= " to ";
                 if (is_alias($scrub_rule['dst'])) {
                     $scrub_rule_out .= !empty($scrub_rule['dstnot']) ? "!" : "";
@@ -634,7 +647,11 @@ function filter_generate_scrubing(&$FilterIflist)
                 } else {
                     $scrub_rule_out .= "any";
                 }
-                $scrub_rule_out .= !empty($scrub_rule['dstport']) ?  " port " . $scrub_rule['dstport'] : "";
+                if (!empty($scrub_rule['dstport']) && is_alias($scrub_rule['dstport'])) {
+                    $scrub_rule_out .= " port $" . $scrub_rule['dstport'];
+                } else {
+                    $scrub_rule_out .= !empty($scrub_rule['dstport']) ?  " port " . $scrub_rule['dstport'] : "";
+                }
                 $scrub_rule_out .= !empty($scrub_rule['no-df']) ? " no-df " : "";
                 $scrub_rule_out .= !empty($scrub_rule['random-id']) ? " random-id " : "";
                 $scrub_rule_out .= !empty($scrub_rule['max-mss']) ? " max-mss " . $scrub_rule['max-mss'] .  " " : "";