snat: add support for connlimiting port-range SNAT

Signed-off-by: Steven Barth <steven@midlink.org>

3 files changed, 14 insertions, 0 deletions

diff --git a/iptables.h b/iptables.h
index 96d71bf..d0b42d8 100644
--- a/iptables.h
+++ b/iptables.h
@@ -46,6 +46,7 @@
 	__ipt_module(icmp)			\
 	__ipt_module(icmp6)			\
 	__ipt_module(limit)			\
+	__ipt_module(connlimit)			\
 	__ipt_module(mac)			\
 	__ipt_module(mark)			\
 	__ipt_module(set)			\
diff --git a/options.h b/options.h
index b31f6b4..f0a759a 100644
--- a/options.h
+++ b/options.h
@@ -423,6 +423,7 @@ struct fw3_snat
 	struct fw3_limit limit;
 	struct fw3_time time;
 	struct fw3_mark mark;
+	bool connlimit_ports;
 
 	enum fw3_flag target;
 
diff --git a/snats.c b/snats.c
index ad0c9b0..c7f29c6 100644
--- a/snats.c
+++ b/snats.c
@@ -45,6 +45,8 @@ const struct fw3_option fw3_snat_opts[] = {
 	FW3_OPT("limit",               limit,     snat,     limit),
 	FW3_OPT("limit_burst",         int,       snat,     limit.burst),
 
+	FW3_OPT("connlimit_ports",     bool,      snat,     connlimit_ports),
+
 	FW3_OPT("utc_time",            bool,      snat,     time.utc),
 	FW3_OPT("start_date",          date,      snat,     time.datestart),
 	FW3_OPT("stop_date",           date,      snat,     time.datestop),
@@ -254,6 +256,16 @@ set_target(struct fw3_ipt_rule *r, struct fw3_snat *snat,
 			else
 				sprintf(buf + strlen(buf), ":%u-%u",
 						snat->port_snat.port_min, snat->port_snat.port_max);
+
+			if (snat->connlimit_ports) {
+				char portcntbuf[6];
+				snprintf(portcntbuf, sizeof(portcntbuf), "%u",
+						1 + snat->port_snat.port_max - snat->port_snat.port_min);
+
+				fw3_ipt_rule_addarg(r, false, "-m", "connlimit");
+				fw3_ipt_rule_addarg(r, false, "--connlimit-daddr", NULL);
+				fw3_ipt_rule_addarg(r, false, "--connlimit-upto", portcntbuf);
+			}
 		}
 
 		fw3_ipt_rule_target(r, "SNAT");