diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
index 292fe3134..cc0473ee6 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@@ -225,6 +225,31 @@
Limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make.true
+
+ rule.max-src-conn-rate
+
+ text
+ Maximum new connections per host, measured over time.
+ true
+
+
+ rule.max-src-conn-rates
+
+ text
+ Time interval (seconds) to measure the number of connections
+ true
+
+
+ rule.overload
+
+ dropdown
+ true
+
+ Overload table used when max new connections per time interval has been reached.
+ The default virusprot table comes with a default block rule in floating rules,
+ alternatively specify your own table here
+
+ rule.nopfsync
diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index e17404077..171d58bf5 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -114,7 +114,8 @@ class Filter extends BaseModel
)
) {
$messages->appendMessage(new Message(
- gettext("Inverting interfaces is only allowed for single targets to avoid mis-interpretations"),
+ gettext("Inverting interfaces is only allowed for ".
+ "single targets to avoid mis-interpretations"),
$rule->interfacenot->__reference
));
}
@@ -132,7 +133,10 @@ class Filter extends BaseModel
}
}
if (!in_array($rule->protocol, ['TCP', 'TCP/UDP'])) {
- foreach (['statetimeout', 'max-src-conn', 'tcpflags1', 'tcpflags2'] as $fieldname) {
+ foreach ([
+ 'statetimeout', 'max-src-conn', 'tcpflags1', 'tcpflags2',
+ 'max-src-conn-rate', 'max-src-conn-rates', 'overload'
+ ] as $fieldname) {
if (!empty((string)$rule->$fieldname)) {
$messages->appendMessage(new Message(
gettext("Invalid option for other than TCP protocol choices."),
@@ -141,9 +145,18 @@ class Filter extends BaseModel
}
}
}
+ if (!empty((string)$rule->{'max-src-conn-rate'}) xor !empty((string)$rule->{'max-src-conn-rates'})) {
+ $tmp = empty((string)$rule->{'max-src-conn-rate'}) ? 'max-src-conn-rate' : 'max-src-conn-rates';
+ $messages->appendMessage(new Message(
+ gettext("Need to specify both a number of connections and a time interval."),
+ $rule->$tmp->__reference
+ ));
+ }
+
if (!empty((string)$rule->tcpflags1) && empty((string)$rule->tcpflags2)) {
$messages->appendMessage(new Message(
- gettext("If you specify TCP flags that should be set you should specify out of which flags as well."),
+ gettext("If you specify TCP flags that should be set ".
+ "you should specify out of which flags as well."),
$rule->tcpflags2->__reference
));
}
diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index 43a410f08..cd146075d 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -158,6 +158,26 @@
1
+
+ 1
+
+
+ 1
+
+
+
+
+ OPNsense.Firewall.Alias
+ aliases.alias
+ name
+
+ /^(?!0).*$/
+ /^(?!(port)).*$/
+
+
+
+ Alias not found.
+ 0