From d07e3c620ef8ef8dbb4ec1ea28fa0535e69c66a0 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 24 Dec 2024 16:49:02 +0100
Subject: [PATCH] Firewall: Automation: Filter - add  'statetimeout' and
 validations for https://github.com/opnsense/core/issues/8143

Although this component is mainly used for api access, experiment a bit further with the inpu dialog as well.
---
 .../Firewall/forms/dialogFilterRule.xml       | 19 +++++++++++++++----
 .../app/models/OPNsense/Firewall/Filter.php   | 12 ++++++++++++
 .../app/models/OPNsense/Firewall/Filter.xml   |  4 ++++
 3 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
index d3ea98262..1258c368d 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@@ -128,10 +128,8 @@
         <help>Log packets that are handled by this rule</help>
     </field>
     <field>
-        <id>rule.nopfsync</id>
-        <label>NO pfsync</label>
-        <type>checkbox</type>
-        <help>Hint: This prevents states created by this rule to be sync'ed over pfsync.</help>
+        <type>header</type>
+        <label>Stateful firewall</label>
     </field>
     <field>
         <id>rule.statetype</id>
@@ -149,6 +147,19 @@
             Interface bound states are more secure, floating more flexible
         </help>
     </field>
+    <field>
+        <id>rule.statetimeout</id>
+        <label>State timeout</label>
+        <type>text</type>
+        <help>State Timeout in seconds (TCP only)</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>rule.nopfsync</id>
+        <label>NO pfsync</label>
+        <type>checkbox</type>
+        <help>Hint: This prevents states created by this rule to be sync'ed over pfsync.</help>
+    </field>
     <field>
         <type>header</type>
         <label>Source routing</label>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index 788975f9b..785c8330c 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -118,6 +118,18 @@ class Filter extends BaseModel
                             $rule->interfacenot->__reference
                         ));
                     }
+                    if ($rule->statetype == 'none' && !empty((string)$rule->statetimeout)) {
+                        $messages->appendMessage(new Message(
+                            gettext("You cannot specify the state timeout (advanced option) if statetype is none."),
+                            $rule->statetimeout->__reference
+                        ));
+                    }
+                    if (!in_array($rule->protocol, ['TCP', 'TCP/UDP']) && !empty((string)$rule->statetimeout)) {
+                        $messages->appendMessage(new Message(
+                            gettext("You can only specify the state timeout (advanced option) for TCP protocol."),
+                            $rule->statetimeout->__reference
+                        ));
+                    }
                 }
             }
         }
diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index 1025734d7..73afc51d3 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -139,6 +139,10 @@
                     <Default>0</Default>
                     <Required>Y</Required>
                 </nopfsync>
+                <statetimeout type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>65536</MaximumValue>
+                </statetimeout>
                 <categories type="ModelRelationField">
                     <Model>
                         <rulesets>