From 0d9550b9129766ca3055a96cf48ccc4586eaec6d Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 24 Dec 2024 17:17:28 +0100
Subject: [PATCH] Firewall: Automation: Filter - add max (states) option  for
 https://github.com/opnsense/core/issues/8143

---
 .../OPNsense/Firewall/forms/dialogFilterRule.xml   | 10 ++++++++++
 .../mvc/app/models/OPNsense/Firewall/Filter.php    | 14 +++++++++-----
 .../mvc/app/models/OPNsense/Firewall/Filter.xml    |  3 +++
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
index 27570965f..90f55638e 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@@ -154,6 +154,16 @@
         <help>State Timeout in seconds (TCP only)</help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>rule.max</id>
+        <label>Max states</label>
+        <type>text</type>
+        <help>
+            Limits the number of concurrent states the rule may create.
+            When this limit is reached, further packets that would create state are dropped until existing states time out.
+        </help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>rule.max-src-nodes</id>
         <label>Max source nodes</label>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index 785c8330c..0b5bd7448 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -118,11 +118,15 @@ class Filter extends BaseModel
                             $rule->interfacenot->__reference
                         ));
                     }
-                    if ($rule->statetype == 'none' && !empty((string)$rule->statetimeout)) {
-                        $messages->appendMessage(new Message(
-                            gettext("You cannot specify the state timeout (advanced option) if statetype is none."),
-                            $rule->statetimeout->__reference
-                        ));
+                    if ($rule->statetype == 'none') {
+                        foreach (['statetimeout', 'max', 'max-src-states', 'max-src-nodes'] as $fieldname) {
+                            if (!empty((string)$rule->$fieldname)) {
+                                $messages->appendMessage(new Message(
+                                    gettext("Invalid option when statetype is none."),
+                                    $rule->$fieldname->__reference
+                                ));
+                            }
+                        }
                     }
                     if (!in_array($rule->protocol, ['TCP', 'TCP/UDP']) && !empty((string)$rule->statetimeout)) {
                         $messages->appendMessage(new Message(
diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index 20a0b439f..75e2274e5 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -148,6 +148,9 @@
                 <max-src-states type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                 </max-src-states>
+                <max type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                </max>
                 <categories type="ModelRelationField">
                     <Model>
                         <rulesets>