Firewall: multiselect for icmptype for both legacy and icmp. closes https://github.com/opnsense/core/issues/8513

src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml

@@ -168,6 +168,16 @@
             <sortable>false</sortable>
         </grid_view>
     </field>
+    <field>
+        <id>rule.icmptype</id>
+        <label>ICMP type</label>
+        <type>select_multiple</type>
+        <hint>Any</hint>
+        <advanced>true</advanced>
+        <grid_view>
+            <ignore>true</ignore>
+        </grid_view>
+    </field>
     <field>
         <id>rule.source_not</id>
         <label>Invert Source</label>

src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php

@@ -92,6 +92,13 @@ class Filter extends BaseModel
                         }
                     }
 
+                    if (!$rule->icmptype->isEmpty() && !in_array($rule->protocol, ['ICMP'])) {
+                        $messages->appendMessage(new Message(
+                            gettext("Option only applies to ICMP packets"),
+                            $rule->icmptype->__reference
+                        ));
+                    }
+
                     if (strpos($rule->source_net, ',') !== false && $rule->source_not == '1') {
                         $messages->appendMessage(new Message(
                             gettext("Inverting sources is only allowed for single targets to avoid mis-interpretations"),

src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml

@@ -85,6 +85,27 @@
                         <opt1 value='TCP/UDP'>TCP/UDP</opt1>
                     </AddOptions>
                 </protocol>
+                <icmptype type="OptionField">
+                    <Multiple>Y</Multiple>
+                    <OptionValues>
+                        <echoreq>Echo Request</echoreq>
+                        <echorep>Echo Reply</echorep>
+                        <unreach>Destination Unreachable</unreach>
+                        <squench>Source Quench (Deprecated)</squench>
+                        <redir>Redirect</redir>
+                        <althost>Alternate Host Address (Deprecated)</althost>
+                        <routeradv>Router Advertisement</routeradv>
+                        <routersol>Router Solicitation</routersol>
+                        <timex>Time Exceeded</timex>
+                        <paramprob>Parameter Problem</paramprob>
+                        <timereq>Timestamp</timereq>
+                        <timerep>Timestamp Reply</timerep>
+                        <inforeq>Information Request (Deprecated)</inforeq>
+                        <inforep>Information Reply (Deprecated)</inforep>
+                        <maskreq>Address Mask Request (Deprecated)</maskreq>
+                        <maskrep>Address Mask Reply (Deprecated)</maskrep>
+                    </OptionValues>
+                </icmptype>
                 <!-- XXX: should map internally to  'source' => array('network' => $source_net, "not" => true|false) -->
                 <source_net type="NetworkAliasField">
                     <Default>any</Default>

src/www/firewall_rules_edit.php

@@ -154,6 +154,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             }
         }
         $pconfig['category'] = !empty($pconfig['category']) ? explode(",", $pconfig['category']) : [];
+        $pconfig['icmptype'] = !empty($pconfig['icmptype']) ? explode(",", $pconfig['icmptype']) : [];
 
         // process fields with some kind of logic
         address_to_pconfig(
@@ -192,6 +193,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         }
         $pconfig['src'] = "any";
         $pconfig['dst'] = "any";
+        $pconfig['icmptype'] = [];
     }
 
     // initialize empty fields
@@ -608,7 +610,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         }
 
         if ($pconfig['protocol'] == "icmp" && !empty($pconfig['icmptype'])) {
-            $filterent['icmptype'] = $pconfig['icmptype'];
+            $filterent['icmptype'] = implode(',', $pconfig['icmptype']);
         } elseif ($pconfig['protocol'] == 'ipv6-icmp' && !empty($pconfig['icmp6-type'])) {
             $filterent['icmp6-type'] = $pconfig['icmp6-type'];
         }
@@ -1053,10 +1055,9 @@ include("head.inc");
                   <tr id="icmpbox">
                     <td><a id="help_for_icmptype" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("ICMP type");?></td>
                     <td>
-                      <select <?=!empty($pconfig['associated-rule-id']) ? "disabled" : "";?> name="icmptype" class="selectpicker" data-live-search="true" data-size="5" >
+                      <select <?=!empty($pconfig['associated-rule-id']) ? "disabled" : "";?> name="icmptype[]" class="selectpicker" title="<?=gettext("Any");?>" data-live-search="true" data-size="5" multiple="multiple">
 <?php
                       $icmptypes = array(
-                      "" => gettext("any"),
                       "echoreq" => gettext("Echo Request"),
                       "echorep" => gettext("Echo Reply"),
                       "unreach" => gettext("Destination Unreachable"),
@@ -1076,7 +1077,7 @@ include("head.inc");
                       );
 
                       foreach ($icmptypes as $icmptype => $descr): ?>
-                        <option value="<?=$icmptype;?>" <?= $icmptype == $pconfig['icmptype'] ? "selected=\"selected\"" : ""; ?>>
+                        <option value="<?=$icmptype;?>" <?= in_array($icmptype, $pconfig['icmptype']) ? "selected=\"selected\"" : ""; ?>>
                           <?=$descr;?>
                         </option>
 <?php