lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-13 08:09:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Firewall: Automation: Filter - add "Max new connections", closes https://github.com/opnsense/core/issues/8143

Browse Source
This commit is contained in:
Ad Schellevis 2025-01-01 17:59:09 +01:00
parent 23e20aab3c
commit 75144ff498
3 changed files with 61 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
View File

@ -225,6 +225,31 @@
<help>Limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make.</help>
<advanced>true</advanced>
</field>
<field>
<id>rule.max-src-conn-rate</id>
<label>Max new connections [c]</label>
<type>text</type>
<help>Maximum new connections per host, measured over time.</help>
<advanced>true</advanced>
</field>
<field>
<id>rule.max-src-conn-rates</id>
<label>Max new connections [s]</label>
<type>text</type>
<help>Time interval (seconds) to measure the number of connections</help>
<advanced>true</advanced>
</field>
<field>
<id>rule.overload</id>
<label>Overload table</label>
<type>dropdown</type>
<advanced>true</advanced>
<help>
Overload table used when max new connections per time interval has been reached.
The default virusprot table comes with a default block rule in floating rules,
alternatively specify your own table here
</help>
</field>
<field>
<id>rule.nopfsync</id>
<label>NO pfsync</label>

19
src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
View File

@ -114,7 +114,8 @@ class Filter extends BaseModel
)
) {
$messages->appendMessage(new Message(
gettext("Inverting interfaces is only allowed for single targets to avoid mis-interpretations"),
gettext("Inverting interfaces is only allowed for ".
"single targets to avoid mis-interpretations"),
$rule->interfacenot->__reference
));
}
@ -132,7 +133,10 @@ class Filter extends BaseModel
}
}
if (!in_array($rule->protocol, ['TCP', 'TCP/UDP'])) {
foreach (['statetimeout', 'max-src-conn', 'tcpflags1', 'tcpflags2'] as $fieldname) {
foreach ([
'statetimeout', 'max-src-conn', 'tcpflags1', 'tcpflags2',
'max-src-conn-rate', 'max-src-conn-rates', 'overload'
] as $fieldname) {
if (!empty((string)$rule->$fieldname)) {
$messages->appendMessage(new Message(
gettext("Invalid option for other than TCP protocol choices."),
@ -141,9 +145,18 @@ class Filter extends BaseModel
}
}
}
if (!empty((string)$rule->{'max-src-conn-rate'}) xor !empty((string)$rule->{'max-src-conn-rates'})) {
$tmp = empty((string)$rule->{'max-src-conn-rate'}) ? 'max-src-conn-rate' : 'max-src-conn-rates';
$messages->appendMessage(new Message(
gettext("Need to specify both a number of connections and a time interval."),
$rule->$tmp->__reference
));
}
if (!empty((string)$rule->tcpflags1) && empty((string)$rule->tcpflags2)) {
$messages->appendMessage(new Message(
gettext("If you specify TCP flags that should be set you should specify out of which flags as well."),
gettext("If you specify TCP flags that should be set ".
"you should specify out of which flags as well."),
$rule->tcpflags2->__reference
));
}

20
src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
View File

@ -158,6 +158,26 @@
<max type="IntegerField">
<MinimumValue>1</MinimumValue>
</max>
<max-src-conn-rate type="IntegerField">
<MinimumValue>1</MinimumValue>
</max-src-conn-rate>
<max-src-conn-rates type="IntegerField">
<MinimumValue>1</MinimumValue>
</max-src-conn-rates>
<overload type="ModelRelationField">
<Model>
<aliases>
<source>OPNsense.Firewall.Alias</source>
<items>aliases.alias</items>
<display>name</display>
<filters>
<enabled>/^(?!0).*$/</enabled>
<type>/^(?!(port)).*$/</type>
</filters>
</aliases>
</Model>
<ValidationMessage>Alias not found.</ValidationMessage>
</overload>
<adaptivestart type="IntegerField">
<MinimumValue>0</MinimumValue>
</adaptivestart>