Firewall: Automation: Filter - add max (states) option for https://github.com/opnsense/core/issues/8143

2026-03-14 00:24:40 +00:00 · 2024-12-24 17:17:28 +01:00 · 2024-12-24 17:17:28 +01:00 · 0d9550b912
commit 0d9550b912
parent 207d51de55
3 changed files with 22 additions and 5 deletions
--- a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@ -154,6 +154,16 @@
        <help>State Timeout in seconds (TCP only)</help>
        <advanced>true</advanced>
    </field>
+    <field>
+        <id>rule.max</id>
+        <label>Max states</label>
+        <type>text</type>
+        <help>
+            Limits the number of concurrent states the rule may create.
+            When this limit is reached, further packets that would create state are dropped until existing states time out.
+        </help>
+        <advanced>true</advanced>
+    </field>
    <field>
        <id>rule.max-src-nodes</id>
        <label>Max source nodes</label>
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@ -118,11 +118,15 @@ class Filter extends BaseModel
                            $rule->interfacenot->__reference
                        ));
                    }
-                    if ($rule->statetype == 'none' && !empty((string)$rule->statetimeout)) {
-                        $messages->appendMessage(new Message(
-                            gettext("You cannot specify the state timeout (advanced option) if statetype is none."),
-                            $rule->statetimeout->__reference
-                        ));
+                    if ($rule->statetype == 'none') {
+                        foreach (['statetimeout', 'max', 'max-src-states', 'max-src-nodes'] as $fieldname) {
+                            if (!empty((string)$rule->$fieldname)) {
+                                $messages->appendMessage(new Message(
+                                    gettext("Invalid option when statetype is none."),
+                                    $rule->$fieldname->__reference
+                                ));
+                            }
+                        }
                    }
                    if (!in_array($rule->protocol, ['TCP', 'TCP/UDP']) && !empty((string)$rule->statetimeout)) {
                        $messages->appendMessage(new Message(
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@ -148,6 +148,9 @@
                <max-src-states type="IntegerField">
                    <MinimumValue>1</MinimumValue>
                </max-src-states>
+                <max type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                </max>
                <categories type="ModelRelationField">
                    <Model>
                        <rulesets>