diff options
author | Steven Barth <steven@midlink.org> | 2014-04-14 08:49:55 +0200 |
---|---|---|
committer | Steven Barth <steven@midlink.org> | 2014-04-14 08:49:55 +0200 |
commit | 1097a30f1d08c54e9483fb47fd4f25033e86d90d (patch) | |
tree | 296ef0ba3e0e8256040f2700acfa5275c62f5882 | |
parent | 6661ec505820cfb1a02b788641c2e770cbd38e36 (diff) | |
download | firewall3-1097a30f1d08c54e9483fb47fd4f25033e86d90d.tar.gz |
snat: add support for connlimiting port-range SNAT
Signed-off-by: Steven Barth <steven@midlink.org>
-rw-r--r-- | iptables.h | 1 | ||||
-rw-r--r-- | options.h | 1 | ||||
-rw-r--r-- | snats.c | 12 |
3 files changed, 14 insertions, 0 deletions
@@ -46,6 +46,7 @@ __ipt_module(icmp) \ __ipt_module(icmp6) \ __ipt_module(limit) \ + __ipt_module(connlimit) \ __ipt_module(mac) \ __ipt_module(mark) \ __ipt_module(set) \ @@ -423,6 +423,7 @@ struct fw3_snat struct fw3_limit limit; struct fw3_time time; struct fw3_mark mark; + bool connlimit_ports; enum fw3_flag target; @@ -45,6 +45,8 @@ const struct fw3_option fw3_snat_opts[] = { FW3_OPT("limit", limit, snat, limit), FW3_OPT("limit_burst", int, snat, limit.burst), + FW3_OPT("connlimit_ports", bool, snat, connlimit_ports), + FW3_OPT("utc_time", bool, snat, time.utc), FW3_OPT("start_date", date, snat, time.datestart), FW3_OPT("stop_date", date, snat, time.datestop), @@ -254,6 +256,16 @@ set_target(struct fw3_ipt_rule *r, struct fw3_snat *snat, else sprintf(buf + strlen(buf), ":%u-%u", snat->port_snat.port_min, snat->port_snat.port_max); + + if (snat->connlimit_ports) { + char portcntbuf[6]; + snprintf(portcntbuf, sizeof(portcntbuf), "%u", + 1 + snat->port_snat.port_max - snat->port_snat.port_min); + + fw3_ipt_rule_addarg(r, false, "-m", "connlimit"); + fw3_ipt_rule_addarg(r, false, "--connlimit-daddr", NULL); + fw3_ipt_rule_addarg(r, false, "--connlimit-upto", portcntbuf); + } } fw3_ipt_rule_target(r, "SNAT"); |