From 23c6d1b766e8eb211594a8167a86bb2f27465cfb Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 30 May 2016 14:11:02 +0200
Subject: [PATCH] (firewall, scrub) move relevant scrub options to
 firewall_scrub.php

ditch disablescrub option,  fragment reassemble is enabled by default.
---
 src/etc/inc/filter.inc               |  31 +++-----
 src/www/firewall_scrub.php           | 104 ++++++++++++++++++++++++---
 src/www/system_advanced_firewall.php |  56 ---------------
 3 files changed, 101 insertions(+), 90 deletions(-)

diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index 7b7662021..5df1e7e33 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -388,37 +388,22 @@ function filter_generate_scrubing(&$FilterIflist)
         }
         $scrubrules .= "scrub from any to <vpn_networks> max-mss {$maxmss}\n";
     }
-    /* disable scrub option */
+
+    /* scrub per interface options */
     foreach ($FilterIflist as $scrubif => $scrubcfg) {
         if (isset($scrubcfg['virtual']) || empty($scrubcfg['descr'])) {
             continue;
         } else {
             /* set up MSS clamping */
-            $mssclamp = '';
-            if (
-                $scrubcfg['mss'] != '' && is_numeric($scrubcfg['mss']) &&
-                $scrubcfg['if'] != 'pppoe' && $scrubcfg['if'] != 'pptp' &&
-                $scrubcfg['if'] != 'l2tp'
-            ) {
+            if (!empty($scrubcfg['mss']) && is_numeric($scrubcfg['mss']) &&
+                !in_array($scrubcfg['if'], array('pppoe', 'pptp', 'l2tp'))) {
                 $mssclamp = "max-mss " . (intval($scrubcfg['mss'] - 40));
-            }
-
-            /* configure no-df for linux nfs and others */
-            if (!empty($config['system']['scrubnodf'])) {
-                $scrubnodf = "no-df";
             } else {
-                $scrubnodf = "";
-            }
-            if (!empty($config['system']['scrubrnid'])) {
-                $scrubrnid = "random-id";
-            } else {
-                $scrubrnid = "";
-            }
-            if (!isset($config['system']['disablescrub'])) {
-                $scrubrules .= "scrub on \${$scrubcfg['descr']} all {$scrubnodf} {$scrubrnid} {$mssclamp} fragment reassemble\n"; // reassemble all directions
-            } else if (!empty($mssclamp)) {
-                $scrubrules .= "scrub on \${$scrubcfg['descr']} {$mssclamp}\n";
+                $mssclamp = '';
             }
+            $scrubnodf = !empty($config['system']['scrubnodf']) ? "no-df" : "";
+            $scrubrnid = !empty($config['system']['scrubrnid']) ? "random-id" : "";
+            $scrubrules .= "scrub on \${$scrubcfg['descr']} all {$scrubnodf} {$scrubrnid} {$mssclamp}\n";
         }
     }
 
diff --git a/src/www/firewall_scrub.php b/src/www/firewall_scrub.php
index 26817f648..fb5e7c450 100644
--- a/src/www/firewall_scrub.php
+++ b/src/www/firewall_scrub.php
@@ -35,12 +35,34 @@ if (!isset($config['filter']['scrub']['rule'])) {
 }
 $a_scrub = &$config['filter']['scrub']['rule'];
 
-if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+    $pconfig = array();
+    $pconfig['scrubnodf'] = !empty($config['system']['scrubnodf']);
+    $pconfig['scrubrnid'] = !empty($config['system']['scrubrnid']);
+} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
     $pconfig = $_POST;
     if (isset($pconfig['id']) && isset($a_scrub[$pconfig['id']])) {
         $id = $pconfig['id'];
     }
-    if (isset($pconfig['apply'])) {
+
+    if (isset($pconfig['act']) && $pconfig['act'] == 'edit') {
+        // update general settings
+        if (!empty($pconfig['scrubnodf'])) {
+            $config['system']['scrubnodf'] = "enabled";
+        } elseif (isset($config['system']['scrubnodf'])) {
+            unset($config['system']['scrubnodf']);
+        }
+        if (!empty($pconfig['scrubrnid'])) {
+            $config['system']['scrubrnid'] = "enabled";
+        } elseif (isset($config['system']['scrubrnid'])) {
+            unset($config['system']['scrubrnid']);
+        }
+        if (write_config()) {
+            mark_subsystem_dirty('filter');
+        }
+        header("Location: firewall_scrub.php");
+        exit;
+    } elseif (isset($pconfig['apply'])) {
         filter_configure();
         clear_subsystem_dirty('filter');
         $savemsg = sprintf(
@@ -163,6 +185,12 @@ $( document ).ready(function() {
     $("#iform").submit();
   });
 
+  $("#save").click(function(event){
+    event.preventDefault();
+    $("#action").val("edit");
+    $("#iform").submit();
+  });
+
   // watch scroll position and set to last known on page load
   watchScrollPosition();
 
@@ -178,14 +206,68 @@ $( document ).ready(function() {
         <?php if (is_subsystem_dirty('filter')): ?><p>
         <?php print_info_box_apply(gettext("The firewall rule configuration has been changed.<br />You must apply the changes in order for them to take effect."));?>
         <?php endif; ?>
-        <section class="col-xs-12">
-          <div class="content-box">
-            <form method="post" name="iform" id="iform">
-              <input type="hidden" id="id" name="id" value="" />
-              <input type="hidden" id="action" name="act" value="" />
+        <form method="post" name="iform" id="iform">
+          <input type="hidden" id="id" name="id" value="" />
+          <input type="hidden" id="action" name="act" value="" />
+          <section class="col-xs-12">
+            <div class="content-box">
+              <div class="table-responsive" >
+                <table class="table table-striped table-hover opnsense_standard_table_form">
+                  <thead>
+                    <tr>
+                      <td width="22%"><strong><?=gettext("General settings");?></strong></td>
+                      <td  width="78%" align="right">
+                           <small><?=gettext("full help"); ?> </small>
+                           <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page" type="button">&nbsp;</i>
+                      </td>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <tr>
+                      <td><a id="help_for_scrubnodf" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP Do-Not-Fragment");?></td>
+                      <td>
+                        <input name="scrubnodf" type="checkbox" value="yes" <?=!empty($pconfig['scrubnodf']) ? "checked=\"checked\"" : ""; ?>/>
+                        <div class="hidden" for="help_for_scrubnodf">
+                          <?=gettext("This allows for communications with hosts that generate fragmented " .
+                                              "packets with the don't fragment (DF) bit set. Linux NFS is known to " .
+                                              "do this. This will cause the filter to not drop such packets but " .
+                                              "instead clear the don't fragment bit.");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_scrubrnid" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP Random id");?></td>
+                      <td>
+                        <input name="scrubrnid" type="checkbox" value="yes" <?= !empty($pconfig['scrubrnid']) ? "checked=\"checked\"" : "";?> />
+                        <div class="hidden" for="help_for_scrubrnid">
+                          <?=gettext("Replaces the IP identification field of packets with random values to " .
+                                              "compensate for operating systems that use predictable values. " .
+                                              "This option only applies to packets that are not fragmented after the " .
+                                              "optional packet reassembly.");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td></td>
+                      <td>
+                          <input name="Submit" id="save" type="submit" class="btn btn-primary" value="<?=gettext("Save");?>" />
+                      </td>
+                    </tr>
+                    </tbody>
+                  </table>
+              </div>
+            </div>
+          </section>
+          <section class="col-xs-12">
+            <div class="content-box">
               <div class="table-responsive" >
                 <table class="table table-striped table-hover" id="rules">
                   <thead>
+                     <tr>
+                         <th colspan="2"><?=gettext("Detailed settings");?></th>
+                         <th colspan="2" class="hidden-xs hidden-sm"> </th>
+                         <th colspan="2"> </th>
+                     </tr>
                     <tr>
                       <th>&nbsp;</th>
                       <th><?=gettext("Interfaces");?></th>
@@ -194,7 +276,7 @@ $( document ).ready(function() {
                       <th><?=gettext("Description");?></th>
                       <th></th>
                     </tr>
-                </thead>
+                  </thead>
                 <tbody>
 <?php
                 $special_nets = get_specialnets();
@@ -293,9 +375,9 @@ $( document ).ready(function() {
                 </tfoot>
               </table>
             </div>
-          </form>
-        </div>
-      </section>
+          </div>
+        </section>
+      </form>
     </div>
   </div>
 </section>
diff --git a/src/www/system_advanced_firewall.php b/src/www/system_advanced_firewall.php
index 1ee926528..edc302342 100644
--- a/src/www/system_advanced_firewall.php
+++ b/src/www/system_advanced_firewall.php
@@ -44,8 +44,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig = array();
     $pconfig['ipv6allow'] = isset($config['system']['ipv6allow']);
     $pconfig['disablefilter'] = !empty($config['system']['disablefilter']);
-    $pconfig['scrubnodf'] = !empty($config['system']['scrubnodf']);
-    $pconfig['scrubrnid'] = !empty($config['system']['scrubrnid']);
     $pconfig['optimization'] = isset($config['system']['optimization']) ? $config['system']['optimization'] : "normal";
     $pconfig['maximumstates'] = isset($config['system']['maximumstates']) ? $config['system']['maximumstates'] : null;
     $pconfig['adaptivestart'] = isset($config['system']['adaptivestart']) ? $config['system']['adaptivestart'] : null;
@@ -70,7 +68,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig['enablenatreflectionhelper'] = isset($config['system']['enablenatreflectionhelper']) ? $config['system']['enablenatreflectionhelper'] : null;
     $pconfig['reflectiontimeout'] = !empty($config['system']['reflectiontimeout']) ? $config['system']['reflectiontimeout'] : null;
     $pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']);
-    $pconfig['disablescrub'] = isset($config['system']['disablescrub']);
     $pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']);
 } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
     $pconfig = $_POST;
@@ -131,18 +128,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             unset($config['system']['disablevpnrules']);
         }
 
-        if (!empty($pconfig['scrubnodf'])) {
-            $config['system']['scrubnodf'] = "enabled";
-        } elseif (isset($config['system']['scrubnodf'])) {
-            unset($config['system']['scrubnodf']);
-        }
-
-        if (!empty($pconfig['scrubrnid'])) {
-            $config['system']['scrubrnid'] = "enabled";
-        } elseif (isset($config['system']['scrubrnid'])) {
-            unset($config['system']['scrubrnid']);
-        }
-
         if (!empty($pconfig['adaptiveend'])) {
             $config['system']['adaptiveend'] = $pconfig['adaptiveend'];
         } elseif (isset($config['system']['adaptiveend'])) {
@@ -204,12 +189,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             unset($config['filter']['bypassstaticroutes']);
         }
 
-        if (!empty($pconfig['disablescrub'])) {
-            $config['system']['disablescrub'] = $pconfig['disablescrub'];
-        } elseif (isset($config['system']['disablescrub'])) {
-            unset($config['system']['disablescrub']);
-        }
-
         if ($pconfig['bogonsinterval'] != $config['system']['bogons']['interval']) {
             $config['system']['bogons']['interval'] = $pconfig['bogonsinterval'];
         }
@@ -437,32 +416,6 @@ include("head.inc");
                 <tr>
                   <th colspan="2" valign="top" class="listtopic"><?=gettext("Miscellaneous");?></th>
                 </tr>
-                <tr>
-                  <td><a id="help_for_scrubnodf" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP Do-Not-Fragment");?></td>
-                  <td>
-                    <input name="scrubnodf" type="checkbox" value="yes" <?=!empty($pconfig['scrubnodf']) ? "checked=\"checked\"" : ""; ?>/>
-                    <strong><?=gettext("Clear invalid DF bits instead of dropping the packets");?></strong>
-                    <div class="hidden" for="help_for_scrubnodf">
-                      <?=gettext("This allows for communications with hosts that generate fragmented " .
-                                          "packets with the don't fragment (DF) bit set. Linux NFS is known to " .
-                                          "do this. This will cause the filter to not drop such packets but " .
-                                          "instead clear the don't fragment bit.");?>
-                    </div>
-                  </td>
-                </tr>
-                <tr>
-                  <td><a id="help_for_scrubrnid" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP Random id");?></td>
-                  <td>
-                    <input name="scrubrnid" type="checkbox" value="yes" <?= !empty($pconfig['scrubrnid']) ? "checked=\"checked\"" : "";?> />
-                    <strong><?=gettext("Insert a stronger id into IP header of packets passing through the filter.");?></strong>
-                    <div class="hidden" for="help_for_scrubrnid">
-                      <?=gettext("Replaces the IP identification field of packets with random values to " .
-                                          "compensate for operating systems that use predictable values. " .
-                                          "This option only applies to packets that are not fragmented after the " .
-                                          "optional packet reassembly.");?>
-                    </div>
-                  </td>
-                </tr>
                 <tr>
                   <td><a id="help_for_optimization" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Firewall Optimization");?></td>
                   <td>
@@ -519,15 +472,6 @@ include("head.inc");
                     </div>
                   </td>
                 </tr>
-                <tr>
-                  <td><a id="help_for_disablescrub" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disable Firewall Scrub");?></td>
-                  <td>
-                    <input name="disablescrub" type="checkbox" value="yes" <?=!empty($pconfig['disablescrub']) ? "checked=\"checked\"" : "";?>/>
-                    <div class="hidden" for="help_for_disablescrub">
-                      <?=gettext("Disables the PF scrubbing option which can sometimes interfere with NFS and PPTP traffic.");?>
-                    </div>
-                  </td>
-                </tr>
                 <tr>
                   <td><a id="help_for_adaptive" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Firewall Adaptive Timeouts");?></td>
                   <td>