see #2436 setting stateless/stateful rule option depending on combination of the "state" keyword and user-chosen version

src/import/Importer.h

@@ -123,7 +123,10 @@ protected:
 
     std::string discovered_platform;
     std::string discovered_version;
-    
+
+    std::string user_choice_host_os;
+    std::string user_choice_version;
+
     libfwbuilder::Interface* current_interface;
     
     // map :  ruleset name : ruleset
@@ -292,6 +295,10 @@ public:
 
     virtual void setDiscoveredPlatform(const std::string &v);
     virtual void setDiscoveredVersion(const std::string &v);
+
+    void setUserChoiceHostOS(const std::string &s) { user_choice_host_os = s; }
+    void setUserChoiceVersion(const std::string &s) { user_choice_version = s; }
+    
     virtual void setHostName(const std::string &hn);
     virtual void newInterface(const std::string &interface_name);
     virtual void clearCurrentInterface() { current_interface = NULL; }

src/import/PFImporter.cpp

@@ -588,6 +588,23 @@ void PFImporter::pushPolicyRule()
     /*
      * Set state-related rule options using variable state_op
      */
+
+    if (state_op.empty())
+    {
+        // when "state" keyword is absent, behavior depends on the
+        // version because different versions have different
+        // defaults. Versions prior to 4.0 treat missing keyword as
+        // "no state", while versions past 4.0 treat is as "keep
+        // state". See also #2441. Rules with action "block" should
+        // always be stateless by default.
+        if (XMLTools::version_compare(user_choice_version, "4.0") < 0)
+            ropt->setBool("stateless", true);
+        else
+        {
+            if (action == "pass") ropt->setBool("stateless", false);
+        }
+    }
+
     if (state_op == "no") ropt->setBool("stateless", true);
     if (state_op == "modulate") ropt->setBool("pf_modulate_state", true);
     if (state_op == "keep") ropt->setBool("stateless", false);

src/libgui/importFirewallConfigurationWizard/IC_ProgressPage.cpp

@@ -150,6 +150,18 @@ void IC_ProgressPage::initializePage()
                                   lib,
                                   *buffer, platform, firewallName, fileName,
                                   deduplicate);
+
+    // lists host_os_list and version_list are used-chosen host os and version.
+    // We ask user to choose these only for PF, so for other platforms 
+    // these lists are going to be empty.
+    if ( wz->host_os_list.size() > 0 && wz->version_list.size() > 0)
+    {
+        int host_os_idx = field("hostOS").toInt();
+        int version_idx = field("version").toInt();
+
+        importer->setUserChoiceHostOS( wz->host_os_list.at( host_os_idx ));
+        importer->setUserChoiceVersion( wz->version_list.at( version_idx ));
+    }
     
     connect(importer, SIGNAL(destroyed(QObject*)),
             this, SLOT(importerDestroyed(QObject*)));

src/libgui/importFirewallConfigurationWizard/ImporterThread.cpp

@@ -73,6 +73,16 @@ ImporterThread::~ImporterThread()
     if (fwbdebug) qDebug() << "ImporterThread::~ImporterThread()";
 }
 
+void ImporterThread::setUserChoiceHostOS(const QString &s)
+{
+    userChoiceHostOS = s;
+}
+
+void ImporterThread::setUserChoiceVersion(const QString &s)
+{
+    userChoiceVersion = s;
+}
+
 void ImporterThread::run()
 {
     QThreadLogger *logger = new QThreadLogger();
@@ -98,6 +108,11 @@ void ImporterThread::run()
 
     if (importer)
     {
+        if ( ! userChoiceHostOS.isEmpty())
+            importer->setUserChoiceHostOS(userChoiceHostOS.toStdString());
+        
+        if ( ! userChoiceVersion.isEmpty())
+            importer->setUserChoiceVersion(userChoiceVersion.toStdString());
 
         importer->setFileName(fileName.toUtf8().constData());
         if (deduplicate) importer->prepareForDeduplication();

src/libgui/importFirewallConfigurationWizard/ImporterThread.h

@@ -54,6 +54,8 @@ class ImporterThread : public QThread
     QWidget *ui;
     libfwbuilder::Firewall *fw;
     bool stopFlag;
+    QString userChoiceHostOS;
+    QString userChoiceVersion;
     
 public:
     ImporterThread(QWidget *ui,
@@ -69,6 +71,9 @@ public:
     void stop();
 
     libfwbuilder::Firewall* getFirewallObject() { return fw; }
+
+    void setUserChoiceHostOS(const QString &s);
+    void setUserChoiceVersion(const QString &s);
     
 signals:
     void finished();

src/unit_tests/PFImporterTest/test_data/pf-state-matches.conf

@@ -0,0 +1,9 @@
+
+
+# state matches
+
+pass in quick proto tcp from any to self port = 22 label "no state word"
+pass in quick proto tcp from any to self port = 22 keep state label "keep state"
+pass in quick proto tcp from any to self port = 22 no state label "no state"
+
+# add modulate state , synproxy and other state-related variants here

src/unit_tests/PFImporterTest/test_data/pf-tcp-flags-matches.conf

@@ -0,0 +1,15 @@
+
+
+# tcp flags matches
+pass in quick proto tcp from any to self port = 22 
+pass in quick proto tcp from any to self port = 22 flags any
+pass in quick proto tcp from any to self port = 22 flags S/SA
+pass in quick proto tcp from any to self port = 22 flags S/SAFR
+
+block in log quick proto tcp flags FUP/WEUAPRSF label "FUP/WEUAPRSF"
+block in log quick proto tcp flags WEUAPRSF/WEUAPRSF label "WEUAPRSF/WEUAPRSF"
+block in log quick proto tcp flags SRAFU/WEUAPRSF label "SRAFU/WEUAPRSF"
+block in log quick proto tcp flags /WEUAPRSF label "/WEUAPRSF"
+block in log quick proto tcp flags SR/SR label "SR/SR"
+block in log quick proto tcp flags SF/SF label "SF/SF"
+