Firewall: Automation: Filter - add adaptive timeouts for https://github.com/opnsense/core/issues/8143

2026-03-14 16:44:39 +00:00 · 2024-12-26 19:26:28 +01:00 · 2024-12-26 19:26:28 +01:00 · bbfd1f3f8b
commit bbfd1f3f8b
parent e6440cb867
3 changed files with 57 additions and 1 deletions
--- a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@ -161,6 +161,20 @@
        <help>State Timeout in seconds (TCP only)</help>
        <advanced>true</advanced>
    </field>
+    <field>
+        <id>rule.adaptivestart</id>
+        <label>Adaptive Timeouts [start]</label>
+        <type>text</type>
+        <help>When the number of state entries exceeds this value, adaptive scaling begins. All timeout values are scaled linearly with factor (adaptive.end - number of states) / (adaptive.end - adaptive.start).</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>rule.adaptiveend</id>
+        <label>Adaptive Timeouts [end]</label>
+        <type>text</type>
+        <help>When reaching this number of state entries, all timeout values become zero, effectively purging all state entries immediately. This value is used to define the scale factor, it should not actually be reached (set a lower state limit).</help>
+        <advanced>true</advanced>
+    </field>
    <field>
        <id>rule.max</id>
        <label>Max states</label>
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@ -119,7 +119,9 @@ class Filter extends BaseModel
                        ));
                    }
                    if ($rule->statetype == 'none') {
-                        foreach (['statetimeout', 'max', 'max-src-states', 'max-src-nodes'] as $fieldname) {
+                        foreach ([
+                            'statetimeout', 'max', 'max-src-states', 'max-src-nodes', 'adaptivestart', 'adaptiveend'
+                        ] as $fieldname) {
                            if (!empty((string)$rule->$fieldname)) {
                                $messages->appendMessage(new Message(
                                    gettext("Invalid option when statetype is none."),
@ -134,6 +136,40 @@ class Filter extends BaseModel
                            $rule->statetimeout->__reference
                        ));
                    }
+                    if (empty((string)$rule->max) && ($rule->adaptivestart == '0' || $rule->adaptiveend == '0')) {
+                        $messages->appendMessage(new Message(
+                            gettext('Disabling adaptive timeouts is only supported in combination with a configured maximum number of states for the same rule.'),
+                            $rule->max->__reference
+                        ));
+                    } elseif ($rule->adaptivestart == '0' xor $rule->adaptiveend == '0') {
+                        $messages->appendMessage(new Message(
+                            gettext("Adaptive timeouts must be disabled together."),
+                            $rule->adaptivestart->__reference
+                        ));
+                    } elseif (!empty((string)$rule->adaptivestart) xor !empty((string)$rule->adaptiveend)) {
+                        $messages->appendMessage(new Message(
+                            gettext("The adaptive timouts values must be set together."),
+                            $rule->adaptivestart->__reference
+                        ));
+                    } elseif (
+                        !empty((string)$rule->max) &&
+                        !empty((string)$rule->adaptiveend) &&
+                        (int)$rule->max->getCurrentValue() > (int)$rule->adaptiveend->getCurrentValue()
+                    ) {
+                        $messages->appendMessage(new Message(
+                            gettext("The value of adaptive.end must be greater than the Max states value."),
+                            $rule->adaptiveend->__reference
+                        ));
+                    } elseif (
+                        !empty((string)$rule->adaptivestart) &&
+                        !empty((string)$rule->adaptiveend) &&
+                        (int)$rule->adaptivestart->getCurrentValue() > (int)$rule->adaptiveend->getCurrentValue()
+                    ) {
+                        $messages->appendMessage(new Message(
+                            gettext("The value of adaptive.end must be greater than adaptive.start value."),
+                            $rule->adaptiveend->__reference
+                        ));
+                    }
                }
            }
        }
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@ -155,6 +155,12 @@
                <max type="IntegerField">
                    <MinimumValue>1</MinimumValue>
                </max>
+                <adaptivestart type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                </adaptivestart>
+                <adaptiveend type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                </adaptiveend>
                <categories type="ModelRelationField">
                    <Model>
                        <rulesets>