snat: add support for connlimiting port-range SNAT

Signed-off-by: Steven Barth <steven@midlink.org>

diff --git a/iptables.h b/iptables.h
index 96d71bf..d0b42d8 100644 (file)
--- a/iptables.h
+++ b/iptables.h
@@ -46,6 +46,7 @@
        __ipt_module(icmp)                      \
        __ipt_module(icmp6)                     \
        __ipt_module(limit)                     \
        __ipt_module(icmp)                      \
        __ipt_module(icmp6)                     \
        __ipt_module(limit)                     \

+       __ipt_module(connlimit)                 \

        __ipt_module(mac)                       \
        __ipt_module(mark)                      \
        __ipt_module(set)                       \
        __ipt_module(mac)                       \
        __ipt_module(mark)                      \
        __ipt_module(set)                       \

diff --git a/options.h b/options.h
index b31f6b4..f0a759a 100644 (file)
--- a/options.h
+++ b/options.h
@@ -423,6 +423,7 @@ struct fw3_snat
        struct fw3_limit limit;
        struct fw3_time time;
        struct fw3_mark mark;
        struct fw3_limit limit;
        struct fw3_time time;
        struct fw3_mark mark;

+       bool connlimit_ports;

 
        enum fw3_flag target;
 
 
        enum fw3_flag target;
 

diff --git a/snats.c b/snats.c
index ad0c9b0..c7f29c6 100644 (file)
--- a/snats.c
+++ b/snats.c
@@ -45,6 +45,8 @@ const struct fw3_option fw3_snat_opts[] = {
        FW3_OPT("limit",               limit,     snat,     limit),
        FW3_OPT("limit_burst",         int,       snat,     limit.burst),
 
        FW3_OPT("limit",               limit,     snat,     limit),
        FW3_OPT("limit_burst",         int,       snat,     limit.burst),
 

+       FW3_OPT("connlimit_ports",     bool,      snat,     connlimit_ports),
+

        FW3_OPT("utc_time",            bool,      snat,     time.utc),
        FW3_OPT("start_date",          date,      snat,     time.datestart),
        FW3_OPT("stop_date",           date,      snat,     time.datestop),
        FW3_OPT("utc_time",            bool,      snat,     time.utc),
        FW3_OPT("start_date",          date,      snat,     time.datestart),
        FW3_OPT("stop_date",           date,      snat,     time.datestop),


@@ -254,6 +256,16 @@ set_target(struct fw3_ipt_rule *r, struct fw3_snat *snat,
                        else
                                sprintf(buf + strlen(buf), ":%u-%u",
                                                snat->port_snat.port_min, snat->port_snat.port_max);
                        else
                                sprintf(buf + strlen(buf), ":%u-%u",
                                                snat->port_snat.port_min, snat->port_snat.port_max);

+
+                       if (snat->connlimit_ports) {
+                               char portcntbuf[6];
+                               snprintf(portcntbuf, sizeof(portcntbuf), "%u",
+                                               1 + snat->port_snat.port_max - snat->port_snat.port_min);
+
+                               fw3_ipt_rule_addarg(r, false, "-m", "connlimit");
+                               fw3_ipt_rule_addarg(r, false, "--connlimit-daddr", NULL);
+                               fw3_ipt_rule_addarg(r, false, "--connlimit-upto", portcntbuf);
+                       }

                }
 
                fw3_ipt_rule_target(r, "SNAT");
                }
 
                fw3_ipt_rule_target(r, "SNAT");