Filter: associated nat rules miss state keyword and when they would, the tag wouldn't be processed properly ($rule['type'] --> pass)

The associated nat rules remain a terrible construct, ideally we would make sure the automated rule matches a regular one, but if they do, the firewall_rules_edit.php page has to handle all sorts of corner cases leading to other unexpected behaviour. This fixes a bug, cleaning this up would either need proper validations in the filter page or no extra validations at all (create/update, only note the relation, but don't try to enforce anything when associated-rule-id is set.
2026-03-15 09:04:39 +00:00 · 2020-10-14 20:27:49 +02:00 · 2020-10-14 20:27:49 +02:00 · 4235c72900
commit 4235c72900
parent 9ad7e5463f
2 changed files with 2 additions and 1 deletions
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
@ -205,7 +205,7 @@ class FilterRule extends Rule
                }
            }
            // restructure state settings for easier output parsing
-            if (!empty($rule['statetype']) && $rule['type'] == 'pass') {
+            if (!empty($rule['statetype']) && ($rule['type'] == 'pass' || empty($rule['type']))) {
                $rule['state'] = array('type' => 'keep', 'options' => array());
                switch ($rule['statetype']) {
                    case 'none':
--- a/src/www/firewall_nat_edit.php
+++ b/src/www/firewall_nat_edit.php
@ -288,6 +288,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {

            // Update interface, protocol and destination
            $filterent['interface'] = $natent['interface'];
+            $filterent['statetype'] = "keep state";
            if (!empty($natent['protocol'])) {
                $filterent['protocol'] = $natent['protocol'];
            } elseif (isset($filterent['protocol'])) {