From 5319b8e53bfc1267bb3cfcddf29ec3e9f1fa82fb Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 31 Oct 2016 19:03:07 +0100
Subject: [PATCH] (filter) move out some more static rules

---
 src/etc/inc/filter.inc                        | 21 ---------------
 src/etc/inc/filter.lib.inc                    | 27 +++++++++++++++++++
 .../library/OPNsense/Firewall/FilterRule.php  | 21 ++++++++++-----
 3 files changed, 41 insertions(+), 28 deletions(-)

diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index b3ad0f6bf..b7dcc01e8 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -2503,27 +2503,6 @@ function filter_rules_generate(&$FilterIflist)
     $log['pass'] = !isset($config['syslog']['nologdefaultpass']) ? "log" : "";
 
     $ipfrules .= <<<EOD
-
-
-# IPv6 ICMP is not auxilary, it is required for operation
-# See man icmp6(4)
-# 1    unreach         Destination unreachable
-# 2    toobig          Packet too big
-# 128  echoreq         Echo service request
-# 129  echorep         Echo service reply
-# 133  routersol       Router solicitation
-# 134  routeradv       Router advertisement
-# 135  neighbrsol      Neighbor solicitation
-# 136  neighbradv      Neighbor advertisement
-pass {$log['pass']} quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136}  keep state
-
-# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
-pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136}  keep state
-pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136}  keep state
-pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136}  keep state
-pass in {$log['pass']} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136}  keep state
-pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136}  keep state
-
 # We use the mighty pf, we cannot be fooled.
 block {$log['block']} quick inet proto { tcp, udp } from any port = 0 to any
 block {$log['block']} quick inet proto { tcp, udp } from any to any port = 0
diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc
index a0ab27e3b..ca6853c35 100644
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@@ -62,4 +62,31 @@ function filter_core_rules_system($fw, $defaults)
       array('ipprotocol'=>'inet46', 'label' => 'Default deny rule', 'quick' => false),
       $defaults['block']
     );
+
+    // IPv6 ICMP requirements
+    $fw->registerFilterRule(1,
+      array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '1,2,135,136',
+            'statetype' => 'keep', 'label' => 'IPv6 requirements (ICMP)'),
+      $defaults['pass']
+    );
+    // Allow only bare essential icmpv6 packets
+    $fw->registerFilterRule(1,
+      array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '129,133,134,135,136',
+            'statetype' => 'keep', 'label' => 'IPv6 requirements (ICMP)', 'from' => 'fe80::/10',
+            'to' => 'fe80::/10,ff02::/16', 'direction' => 'out' ),
+      $defaults['pass']
+    );
+    $fw->registerFilterRule(1,
+      array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136',
+            'statetype' => 'keep', 'label' => 'IPv6 requirements (ICMP)', 'from' => 'fe80::/10',
+            'to' => 'fe80::/10,ff02::/16', 'direction' => 'in' ),
+      $defaults['pass']
+    );
+    $fw->registerFilterRule(1,
+      array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136',
+            'statetype' => 'keep', 'label' => 'IPv6 requirements (ICMP)', 'from' => 'ff02::/16',
+            'to' => 'fe80::/10', 'direction' => 'in' ),
+      $defaults['pass']
+    );
+
 }
diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
index 41161a746..35a866efa 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
@@ -41,14 +41,15 @@ class FilterRule
     private $procorder = array(
         'disabled' => 'parseIsComment',
         'type' => 'parseType',
+        'direction' => 'parseReplaceSimple,any:',
         'log' => 'parseBool,log',
         'quick' => 'parseBool,quick',
         'interface' => 'parseInterface',
         'ipprotocol' => 'parsePlain',
-        'protocol' => 'parseReplaceSimple,tcp/udp:{tcp udp}',
-        'from' => 'parsePlain',
-        'to' => 'parsePlain',
-        'icmp6-type' => 'parsePlain,{,}',
+        'protocol' => 'parseReplaceSimple,tcp/udp:{tcp udp},proto ',
+        'from' => 'parsePlain,from {,}',
+        'to' => 'parsePlain,to {,}',
+        'icmp6-type' => 'parsePlain,icmp6-type {,}',
         'state' => 'parseState',
         'label' => 'parsePlain,label ","'
     );
@@ -79,15 +80,21 @@ class FilterRule
      * @param string $map
      * @return string
      */
-    private function parseReplaceSimple($value, $map)
+    private function parseReplaceSimple($value, $map, $prefix="", $suffix="")
     {
+        $retval = $value;
         foreach (explode('|', $map) as $item) {
             $tmp = explode(':', $item);
             if ($tmp[0] == $value) {
-                return $tmp[1] . " ";
+                $retval = $tmp[1] . " ";
+                break;
             }
         }
-        return $value . " ";
+        if (!empty($retval)) {
+            return $prefix . $retval . $suffix . " ";
+        } else {
+            return "";
+        }
     }
 
     /**