From 9da5c28f40b39a2de9c1ffdde39360cfee475c22 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 21 Sep 2021 15:27:44 +0200
Subject: [PATCH] Firewall / Rules - specify overload table on max new
 connections, closes https://github.com/opnsense/core/issues/5229

---
 .../library/OPNsense/Firewall/FilterRule.php  |  3 +-
 src/www/firewall_rules_edit.php               | 28 ++++++++++++++++---
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
index 3a6096a5a..468aecae2 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
@@ -236,8 +236,9 @@ class FilterRule extends Rule
                         $rule['state']['options'][] = "tcp.established " . $rule['statetimeout'];
                     }
                     if (!empty($rule['max-src-conn-rate']) && !empty($rule['max-src-conn-rates'])) {
+                        $otbl = !empty($rule['overload']) ? $rule['overload'] : "virusprot";
                         $rule['state']['options'][] = "max-src-conn-rate " . $rule['max-src-conn-rate'] . " " .
-                                             "/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global ";
+                                             "/" . $rule['max-src-conn-rates'] . ", overload <{$otbl}> flush global ";
                     }
                 }
             }
diff --git a/src/www/firewall_rules_edit.php b/src/www/firewall_rules_edit.php
index ed800c8e1..730665b55 100644
--- a/src/www/firewall_rules_edit.php
+++ b/src/www/firewall_rules_edit.php
@@ -109,6 +109,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         'max-src-conn',
         'max-src-conn-rate',
         'max-src-conn-rates',
+        'overload',
         'max-src-nodes',
         'max-src-states',
         'nopfsync',
@@ -433,6 +434,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $input_errors[] = gettext('Priority match must be an integer between 0 and 7.');
     }
 
+    if (!empty($pconfig['overload']) && !is_alias($pconfig['overload'])) {
+        $input_errors[] = gettext('Max new connections overload table should be a valid alias.');
+    }
+
     if (count($input_errors) == 0) {
         $filterent = array();
         // 1-on-1 copy of form values
@@ -451,6 +456,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             }
         }
 
+        // only flush non default max new connection overload table
+        if (!empty($pconfig['overload']) && $pconfig['overload'] != 'virusprot') {
+            $filterent['overload'] = $pconfig['overload'];
+        }
+
         // attributes with some kind of logic
         if (!empty($pconfig['floating'])) {
             $filterent['floating'] = "yes";
@@ -1490,13 +1500,13 @@ endforeach;?>
                   <tr class="opt_advanced hidden">
                       <td><a id="help_for_max-src-conn-rate" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Max new connections");?> </td>
                       <td>
-                        <table style="border:0;">
+                        <table style="border:0; width: 600px;">
                           <tbody>
                             <tr>
                               <td>
-                                <input name="max-src-conn-rate" type="text" value="<?=$pconfig['max-src-conn-rate'];?>" />
+                                <input name="max-src-conn-rate" style="width:152px" type="text" value="<?=$pconfig['max-src-conn-rate'];?>" />
                               </td>
-                              <td> / </td>
+                              <td style="width:18px" > /&nbsp;</td>
                               <td>
                                 <select name="max-src-conn-rates" class="selectpicker" data-live-search="true" data-size="5" data-width="auto">
                                   <option value="" <?=intval($pconfig['max-src-conn-rates']) < 1 ? "selected=\"selected\"" : "";?>><?=gettext("none");?></option>
@@ -1509,11 +1519,21 @@ endforeach;?>
                                  endfor;?>
                                 </select>
                               </td>
+                              <td style="width:18px;"> <i class="fa fa-fw fa-share" aria-hidden="true"></i> </td>
+                              <td>
+                                <select name="overload" class="selectpicker" data-live-search="true" data-size="5" data-width="auto">
+<?php
+                                foreach (legacy_list_aliases("network") as $alias):?>
+                                  <option value="<?=$alias['name'];?>" <?=$alias['name'] == $pconfig['overload'] || empty($pconfig['overload']) && $alias['name'] == 'virusprot' ? "selected=\"selected\"" : "";?>><?=htmlspecialchars($alias['name']);?></option>
+<?php
+                                endforeach; ?>
+                                </select>
+                              </td>
                             </tr>
                           </tbody>
                         </table>
                         <div class="hidden" data-for="help_for_max-src-conn-rate">
-                            <?=gettext("Maximum new connections per host / per second(s) (TCP only)");?>
+                            <?=gettext("Maximum new connections per host / per second(s) and overload table to use (TCP only), the default virusprot table comes with a default block rule in floating rules.");?>
                         </div>
                       </td>
                   </tr>