From 75144ff498fcf573b97492fed0481584534a3f44 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Wed, 1 Jan 2025 17:59:09 +0100 Subject: [PATCH] Firewall: Automation: Filter - add "Max new connections", closes https://github.com/opnsense/core/issues/8143 --- .../Firewall/forms/dialogFilterRule.xml | 25 +++++++++++++++++++ .../app/models/OPNsense/Firewall/Filter.php | 19 +++++++++++--- .../app/models/OPNsense/Firewall/Filter.xml | 20 +++++++++++++++ 3 files changed, 61 insertions(+), 3 deletions(-) diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml index 292fe3134..cc0473ee6 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml +++ b/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml @@ -225,6 +225,31 @@ Limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make. true + + rule.max-src-conn-rate + + text + Maximum new connections per host, measured over time. + true + + + rule.max-src-conn-rates + + text + Time interval (seconds) to measure the number of connections + true + + + rule.overload + + dropdown + true + + Overload table used when max new connections per time interval has been reached. + The default virusprot table comes with a default block rule in floating rules, + alternatively specify your own table here + + rule.nopfsync diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php index e17404077..171d58bf5 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php +++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php @@ -114,7 +114,8 @@ class Filter extends BaseModel ) ) { $messages->appendMessage(new Message( - gettext("Inverting interfaces is only allowed for single targets to avoid mis-interpretations"), + gettext("Inverting interfaces is only allowed for ". + "single targets to avoid mis-interpretations"), $rule->interfacenot->__reference )); } @@ -132,7 +133,10 @@ class Filter extends BaseModel } } if (!in_array($rule->protocol, ['TCP', 'TCP/UDP'])) { - foreach (['statetimeout', 'max-src-conn', 'tcpflags1', 'tcpflags2'] as $fieldname) { + foreach ([ + 'statetimeout', 'max-src-conn', 'tcpflags1', 'tcpflags2', + 'max-src-conn-rate', 'max-src-conn-rates', 'overload' + ] as $fieldname) { if (!empty((string)$rule->$fieldname)) { $messages->appendMessage(new Message( gettext("Invalid option for other than TCP protocol choices."), @@ -141,9 +145,18 @@ class Filter extends BaseModel } } } + if (!empty((string)$rule->{'max-src-conn-rate'}) xor !empty((string)$rule->{'max-src-conn-rates'})) { + $tmp = empty((string)$rule->{'max-src-conn-rate'}) ? 'max-src-conn-rate' : 'max-src-conn-rates'; + $messages->appendMessage(new Message( + gettext("Need to specify both a number of connections and a time interval."), + $rule->$tmp->__reference + )); + } + if (!empty((string)$rule->tcpflags1) && empty((string)$rule->tcpflags2)) { $messages->appendMessage(new Message( - gettext("If you specify TCP flags that should be set you should specify out of which flags as well."), + gettext("If you specify TCP flags that should be set ". + "you should specify out of which flags as well."), $rule->tcpflags2->__reference )); } diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml index 43a410f08..cd146075d 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml +++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml @@ -158,6 +158,26 @@ 1 + + 1 + + + 1 + + + + + OPNsense.Firewall.Alias + aliases.alias + name + + /^(?!0).*$/ + /^(?!(port)).*$/ + + + + Alias not found. + 0