Firewall: Automation: Filter - add 'statetimeout' and validations for https://github.com/opnsense/core/issues/8143

Although this component is mainly used for api access, experiment a bit further with the inpu dialog as well.
2026-03-13 16:14:40 +00:00 · 2024-12-24 16:49:02 +01:00 · 2024-12-24 16:49:02 +01:00 · d07e3c620e
commit d07e3c620e
parent 3cbea52267
3 changed files with 31 additions and 4 deletions
--- a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@ -128,10 +128,8 @@
        <help>Log packets that are handled by this rule</help>
    </field>
    <field>
-        <id>rule.nopfsync</id>
-        <label>NO pfsync</label>
-        <type>checkbox</type>
-        <help>Hint: This prevents states created by this rule to be sync'ed over pfsync.</help>
+        <type>header</type>
+        <label>Stateful firewall</label>
    </field>
    <field>
        <id>rule.statetype</id>
@ -149,6 +147,19 @@
            Interface bound states are more secure, floating more flexible
        </help>
    </field>
+    <field>
+        <id>rule.statetimeout</id>
+        <label>State timeout</label>
+        <type>text</type>
+        <help>State Timeout in seconds (TCP only)</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>rule.nopfsync</id>
+        <label>NO pfsync</label>
+        <type>checkbox</type>
+        <help>Hint: This prevents states created by this rule to be sync'ed over pfsync.</help>
+    </field>
    <field>
        <type>header</type>
        <label>Source routing</label>
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@ -118,6 +118,18 @@ class Filter extends BaseModel
                            $rule->interfacenot->__reference
                        ));
                    }
+                    if ($rule->statetype == 'none' && !empty((string)$rule->statetimeout)) {
+                        $messages->appendMessage(new Message(
+                            gettext("You cannot specify the state timeout (advanced option) if statetype is none."),
+                            $rule->statetimeout->__reference
+                        ));
+                    }
+                    if (!in_array($rule->protocol, ['TCP', 'TCP/UDP']) && !empty((string)$rule->statetimeout)) {
+                        $messages->appendMessage(new Message(
+                            gettext("You can only specify the state timeout (advanced option) for TCP protocol."),
+                            $rule->statetimeout->__reference
+                        ));
+                    }
                }
            }
        }
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@ -139,6 +139,10 @@
                    <Default>0</Default>
                    <Required>Y</Required>
                </nopfsync>
+                <statetimeout type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>65536</MaximumValue>
+                </statetimeout>
                <categories type="ModelRelationField">
                    <Model>
                        <rulesets>