From 4235c7290052c2619b422cb32fd632b9da3cc2db Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 14 Oct 2020 20:27:49 +0200
Subject: [PATCH] Filter: associated nat rules miss state keyword and when they
 would, the tag wouldn't be processed properly ($rule['type'] --> pass)

The associated nat rules remain a terrible construct, ideally we would make sure the automated rule matches a regular one, but if they do, the firewall_rules_edit.php page has to handle all sorts of corner cases leading to other unexpected behaviour.

This fixes a bug, cleaning this up would either need proper validations in the filter page or no extra validations at all (create/update, only note the relation, but don't try to enforce anything when associated-rule-id is set.
---
 src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php | 2 +-
 src/www/firewall_nat_edit.php                                 | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
index 1ffe0ec90..dea2b0810 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
@@ -205,7 +205,7 @@ class FilterRule extends Rule
                 }
             }
             // restructure state settings for easier output parsing
-            if (!empty($rule['statetype']) && $rule['type'] == 'pass') {
+            if (!empty($rule['statetype']) && ($rule['type'] == 'pass' || empty($rule['type']))) {
                 $rule['state'] = array('type' => 'keep', 'options' => array());
                 switch ($rule['statetype']) {
                     case 'none':
diff --git a/src/www/firewall_nat_edit.php b/src/www/firewall_nat_edit.php
index dec89b08d..c92741aa9 100644
--- a/src/www/firewall_nat_edit.php
+++ b/src/www/firewall_nat_edit.php
@@ -288,6 +288,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
 
             // Update interface, protocol and destination
             $filterent['interface'] = $natent['interface'];
+            $filterent['statetype'] = "keep state";
             if (!empty($natent['protocol'])) {
                 $filterent['protocol'] = $natent['protocol'];
             } elseif (isset($filterent['protocol'])) {