lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-15 00:54:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Firewall / Rules - specify overload table on max new connections, closes https://github.com/opnsense/core/issues/5229

Browse Source
This commit is contained in:
Ad Schellevis 2021-09-21 15:27:44 +02:00
parent ea7709e268
commit 9da5c28f40
2 changed files with 26 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
View File

@ -236,8 +236,9 @@ class FilterRule extends Rule
$rule['state']['options'][] = "tcp.established " . $rule['statetimeout'];
}
if (!empty($rule['max-src-conn-rate']) && !empty($rule['max-src-conn-rates'])) {
$otbl = !empty($rule['overload']) ? $rule['overload'] : "virusprot";
$rule['state']['options'][] = "max-src-conn-rate " . $rule['max-src-conn-rate'] . " " .
"/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global ";
"/" . $rule['max-src-conn-rates'] . ", overload <{$otbl}> flush global ";
}
}
}

28
src/www/firewall_rules_edit.php
View File

@ -109,6 +109,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
'max-src-conn',
'max-src-conn-rate',
'max-src-conn-rates',
'overload',
'max-src-nodes',
'max-src-states',
'nopfsync',
@ -433,6 +434,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$input_errors[] = gettext('Priority match must be an integer between 0 and 7.');
}
if (!empty($pconfig['overload']) && !is_alias($pconfig['overload'])) {
$input_errors[] = gettext('Max new connections overload table should be a valid alias.');
}
if (count($input_errors) == 0) {
$filterent = array();
// 1-on-1 copy of form values
@ -451,6 +456,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
}
}
// only flush non default max new connection overload table
if (!empty($pconfig['overload']) && $pconfig['overload'] != 'virusprot') {
$filterent['overload'] = $pconfig['overload'];
}
// attributes with some kind of logic
if (!empty($pconfig['floating'])) {
$filterent['floating'] = "yes";
@ -1490,13 +1500,13 @@ endforeach;?>
<tr class="opt_advanced hidden">
<td><a id="help_for_max-src-conn-rate" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Max new connections");?> </td>
<td>
<table style="border:0;">
<table style="border:0; width: 600px;">
<tbody>
<tr>
<td>
<input name="max-src-conn-rate" type="text" value="<?=$pconfig['max-src-conn-rate'];?>" />
<input name="max-src-conn-rate" style="width:152px" type="text" value="<?=$pconfig['max-src-conn-rate'];?>" />
</td>
<td> / </td>
<td style="width:18px" > /&nbsp;</td>
<td>
<select name="max-src-conn-rates" class="selectpicker" data-live-search="true" data-size="5" data-width="auto">
<option value="" <?=intval($pconfig['max-src-conn-rates']) < 1 ? "selected=\"selected\"" : "";?>><?=gettext("none");?></option>
@ -1509,11 +1519,21 @@ endforeach;?>
endfor;?>
</select>
</td>
<td style="width:18px;"> <i class="fa fa-fw fa-share" aria-hidden="true"></i> </td>
<td>
<select name="overload" class="selectpicker" data-live-search="true" data-size="5" data-width="auto">
<?php
foreach (legacy_list_aliases("network") as $alias):?>
<option value="<?=$alias['name'];?>" <?=$alias['name'] == $pconfig['overload'] || empty($pconfig['overload']) && $alias['name'] == 'virusprot' ? "selected=\"selected\"" : "";?>><?=htmlspecialchars($alias['name']);?></option>
<?php
endforeach; ?>
</select>
</td>
</tr>
</tbody>
</table>
<div class="hidden" data-for="help_for_max-src-conn-rate">
<?=gettext("Maximum new connections per host / per second(s) (TCP only)");?>
<?=gettext("Maximum new connections per host / per second(s) and overload table to use (TCP only), the default virusprot table comes with a default block rule in floating rules.");?>
</div>
</td>
</tr>