Firewall: Automation: Filter - add Max source connections for #8143

opnsense · Dec 28, 2024 · 70b4823 · 70b4823
1 parent b8e3015
commit 70b4823
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 6 deletions.
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@@ -199,6 +199,13 @@
         <help>Limits the maximum number of simultaneous state entries that a single source address can create with this rule.</help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>rule.max-src-conn</id>
+        <label>Max source connections</label>
+        <type>text</type>
+        <help>Limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make.</help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>rule.nopfsync</id>
         <label>NO pfsync</label>

diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -120,7 +120,8 @@ public function performValidation($validateFullModel = false)
                     }
                     if ($rule->statetype == 'none') {
                         foreach ([
-                            'statetimeout', 'max', 'max-src-states', 'max-src-nodes', 'adaptivestart', 'adaptiveend'
+                            'statetimeout', 'max', 'max-src-states', 'max-src-nodes', 'adaptivestart', 'adaptiveend',
+                            'max-src-conn'
                         ] as $fieldname) {
                             if (!empty((string)$rule->$fieldname)) {
                                 $messages->appendMessage(new Message(
@@ -130,11 +131,15 @@ public function performValidation($validateFullModel = false)
                             }
                         }
                     }
-                    if (!in_array($rule->protocol, ['TCP', 'TCP/UDP']) && !empty((string)$rule->statetimeout)) {
-                        $messages->appendMessage(new Message(
-                            gettext("You can only specify the state timeout (advanced option) for TCP protocol."),
-                            $rule->statetimeout->__reference
-                        ));
+                    if (!in_array($rule->protocol, ['TCP', 'TCP/UDP'])) {
+                        foreach (['statetimeout', 'max-src-conn'] as $fieldname) {
+                            if (!empty((string)$rule->$fieldname)) {
+                                $messages->appendMessage(new Message(
+                                    gettext("Invalid option for other than TCP protocol choices."),
+                                    $rule->$fieldname->__reference
+                                ));
+                            }
+                        }
                     }
                     if (empty((string)$rule->max) && ($rule->adaptivestart == '0' || $rule->adaptiveend == '0')) {
                         $messages->appendMessage(new Message(

diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -152,6 +152,9 @@
                 <max-src-states type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                 </max-src-states>
+                <max-src-conn type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                </max-src-conn>
                 <max type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                 </max>