Firewall: Automation: Filter - add max (states) option for #8143

opnsense · Dec 24, 2024 · 0d9550b · 0d9550b
1 parent 207d51d
commit 0d9550b
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 5 deletions.
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@@ -154,6 +154,16 @@
         <help>State Timeout in seconds (TCP only)</help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>rule.max</id>
+        <label>Max states</label>
+        <type>text</type>
+        <help>
+            Limits the number of concurrent states the rule may create.
+            When this limit is reached, further packets that would create state are dropped until existing states time out.
+        </help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>rule.max-src-nodes</id>
         <label>Max source nodes</label>

diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -118,11 +118,15 @@ public function performValidation($validateFullModel = false)
                             $rule->interfacenot->__reference
                         ));
                     }
-                    if ($rule->statetype == 'none' && !empty((string)$rule->statetimeout)) {
-                        $messages->appendMessage(new Message(
-                            gettext("You cannot specify the state timeout (advanced option) if statetype is none."),
-                            $rule->statetimeout->__reference
-                        ));
+                    if ($rule->statetype == 'none') {
+                        foreach (['statetimeout', 'max', 'max-src-states', 'max-src-nodes'] as $fieldname) {
+                            if (!empty((string)$rule->$fieldname)) {
+                                $messages->appendMessage(new Message(
+                                    gettext("Invalid option when statetype is none."),
+                                    $rule->$fieldname->__reference
+                                ));
+                            }
+                        }
                     }
                     if (!in_array($rule->protocol, ['TCP', 'TCP/UDP']) && !empty((string)$rule->statetimeout)) {
                         $messages->appendMessage(new Message(

diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -148,6 +148,9 @@
                 <max-src-states type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                 </max-src-states>
+                <max type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                </max>
                 <categories type="ModelRelationField">
                     <Model>
                         <rulesets>