snat: add support for connlimiting port-range SNAT

Signed-off-by: Steven Barth <steven@midlink.org>

diff --git a/iptables.h b/iptables.h
index 96d71bf850f3c485fd80576fa208c4f1e68b05a7..d0b42d89d358ed57553d4e75a30306e9b105a3d0 100644 (file)
--- a/iptables.h
+++ b/iptables.h
@@ -46,6 +46,7 @@
        __ipt_module(icmp)                      \
        __ipt_module(icmp6)                     \
        __ipt_module(limit)                     \
+       __ipt_module(connlimit)                 \
        __ipt_module(mac)                       \
        __ipt_module(mark)                      \
        __ipt_module(set)                       \

diff --git a/options.h b/options.h
index b31f6b4979a3570eca36a97a4be3c5ee39ab6e1e..f0a759aaef8c872d11f1e91611cae80dcdf3ba82 100644 (file)
--- a/options.h
+++ b/options.h
@@ -423,6 +423,7 @@ struct fw3_snat
        struct fw3_limit limit;
        struct fw3_time time;
        struct fw3_mark mark;
+       bool connlimit_ports;
 
        enum fw3_flag target;
 

diff --git a/snats.c b/snats.c
index ad0c9b0e69c5ce5fbf6fc724c1c3b3ce155dde97..c7f29c617b6cf9512e74399c0d1c0da0f5c816f2 100644 (file)
--- a/snats.c
+++ b/snats.c
@@ -45,6 +45,8 @@ const struct fw3_option fw3_snat_opts[] = {
        FW3_OPT("limit",               limit,     snat,     limit),
        FW3_OPT("limit_burst",         int,       snat,     limit.burst),
 
+       FW3_OPT("connlimit_ports",     bool,      snat,     connlimit_ports),
+
        FW3_OPT("utc_time",            bool,      snat,     time.utc),
        FW3_OPT("start_date",          date,      snat,     time.datestart),
        FW3_OPT("stop_date",           date,      snat,     time.datestop),
@@ -254,6 +256,16 @@ set_target(struct fw3_ipt_rule *r, struct fw3_snat *snat,
                        else
                                sprintf(buf + strlen(buf), ":%u-%u",
                                                snat->port_snat.port_min, snat->port_snat.port_max);
+
+                       if (snat->connlimit_ports) {
+                               char portcntbuf[6];
+                               snprintf(portcntbuf, sizeof(portcntbuf), "%u",
+                                               1 + snat->port_snat.port_max - snat->port_snat.port_min);
+
+                               fw3_ipt_rule_addarg(r, false, "-m", "connlimit");
+                               fw3_ipt_rule_addarg(r, false, "--connlimit-daddr", NULL);
+                               fw3_ipt_rule_addarg(r, false, "--connlimit-upto", portcntbuf);
+                       }
                }
 
                fw3_ipt_rule_target(r, "SNAT");