From edbac06d2043380d22cb080bbcdbbf7744e4a84f Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 16 Dec 2015 11:29:20 +0100
Subject: [PATCH] (trafficshaper) add match tcp ACK/non-ACK selection, closes
 https://github.com/opnsense/core/issues/528

---
 .../OPNsense/TrafficShaper/TrafficShaper.xml    |  2 ++
 .../service/templates/OPNsense/IPFW/ipfw.conf   | 17 +++++++++++------
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/opnsense/mvc/app/models/OPNsense/TrafficShaper/TrafficShaper.xml b/src/opnsense/mvc/app/models/OPNsense/TrafficShaper/TrafficShaper.xml
index 232fe03ad..afff86ea8 100644
--- a/src/opnsense/mvc/app/models/OPNsense/TrafficShaper/TrafficShaper.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/TrafficShaper/TrafficShaper.xml
@@ -146,6 +146,8 @@
                         <ip6>ipv6</ip6>
                         <udp>udp</udp>
                         <tcp>tcp</tcp>
+                        <tcp_ack>tcp (ACK packets only)</tcp_ack>
+                        <tcp_ack_not>tcp (non-ACK packages)</tcp_ack_not>
                         <icmp>icmp</icmp>
                         <igmp>igmp</igmp>
                         <esp>esp</esp>
diff --git a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf
index 2d579bdd6..f6bc3e93e 100644
--- a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf
+++ b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf
@@ -154,20 +154,25 @@ add 60000 return via any
 {%                       if rule.interface2 and helpers.getNodeByTag('interfaces.'+rule.interface2) %}
 {#  2 interface defined, use both to match packets (2 rules)  #}
 add {{loop.index  + 60000}} {{ helpers.getUUIDtag(rule.target) }} {{
-    helpers.getUUID(rule.target).number }} {{ rule.proto }} from {{ rule.source }} to {{rule.destination
+    helpers.getUUID(rule.target).number }} {{ rule.proto.split('_')[0] }} from {{ rule.source }} to {{rule.destination
     }} src-port  {{ rule.src_port }} dst-port {{ rule.dst_port }} {{rule.direction}} recv {{
-    helpers.getNodeByTag('interfaces.'+rule.interface).if }} xmit {{helpers.getNodeByTag('interfaces.'+rule.interface2).if
+    helpers.getNodeByTag('interfaces.'+rule.interface).if }} {%
+    if rule.proto.split('_')[1]|default('') == 'ack' %} {{ rule.proto.split('_')[2]|default('') }} tcpflags ack {% endif
+    %} xmit {{helpers.getNodeByTag('interfaces.'+rule.interface2).if
     }}
 add {{loop.index  + 60000}} {{ helpers.getUUIDtag(rule.target) }} {{
-    helpers.getUUID(rule.target).number }} {{ rule.proto }} from {{ rule.source }} to {{rule.destination
+    helpers.getUUID(rule.target).number }} {{ rule.proto.split('_')[0] }} from {{ rule.source }} to {{rule.destination
     }} src-port  {{ rule.src_port }} dst-port {{ rule.dst_port }} {{rule.direction}} xmit {{
-    helpers.getNodeByTag('interfaces.'+rule.interface).if }} recv {{helpers.getNodeByTag('interfaces.'+rule.interface2).if
+    helpers.getNodeByTag('interfaces.'+rule.interface).if }} {%
+    if rule.proto.split('_')[1]|default('') == 'ack' %} {{ rule.proto.split('_')[2]|default('') }} tcpflags ack {% endif
+    %} recv {{helpers.getNodeByTag('interfaces.'+rule.interface2).if
     }}
 {%                       else %}
 {#  normal, single interface situation  #}
 add {{loop.index  + 60000}} {{ helpers.getUUIDtag(rule.target) }} {{
-    helpers.getUUID(rule.target).number }} {{ rule.proto }} from {{ rule.source }} to {{rule.destination
-    }} src-port  {{ rule.src_port }} dst-port {{ rule.dst_port }} {{rule.direction}} via {{
+    helpers.getUUID(rule.target).number }} {{ rule.proto.split('_')[0] }} from {{ rule.source }} to {{rule.destination
+    }} src-port  {{ rule.src_port }} dst-port {{ rule.dst_port }} {{rule.direction}} {%
+    if rule.proto.split('_')[1]|default('') == 'ack' %} {{ rule.proto.split('_')[2]|default('') }} tcpflags ack {% endif %} via {{
     helpers.getNodeByTag('interfaces.'+rule.interface).if
     }}
 {%                       endif %}