Enable connections limits on a per-source basis

author Tom Hughes <tom@compton.nu>

Sun, 5 Mar 2023 15:33:44 +0000 (15:33 +0000)

committer Tom Hughes <tom@compton.nu>

Sun, 5 Mar 2023 15:33:44 +0000 (15:33 +0000)
author Tom Hughes <tom@compton.nu>
Sun, 5 Mar 2023 15:33:44 +0000 (15:33 +0000)
committer Tom Hughes <tom@compton.nu>
Sun, 5 Mar 2023 15:33:44 +0000 (15:33 +0000)
diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb

index 36500c022f5339cec5ed0fad790208f2253d8c2d..665c0cb84ee9d279f3e65241e12b7777045e57dd 100644 (file)
--- a/cookbooks/networking/resources/firewall_rule.rb
+++ b/cookbooks/networking/resources/firewall_rule.rb
@@ -133,9 +133,13 @@ action_class do
        rule << "ct state new"
      end
  
-    # if new_resource.connection_limit != "-"
-    #   rule << "ct count #{new_resource.connection_limit}"
-    # end
+    if new_resource.connection_limit != "-"
+      set = "connlimit-#{new_resource.rule}-#{ip}"
+
+      node.default[:networking][:firewall][:sets] << set
+
+      rule << "add @#{set} { #{ip} saddr ct count #{new_resource.connection_limit} }"
+    end
  
      # if new_resource.rate_limit =~ %r{^s:(\d+)/sec:(\d+)$}
      #   set = "#{new_resource.rule}-#{ip}"
author	Tom Hughes <tom@compton.nu>
	Sun, 5 Mar 2023 15:33:44 +0000 (15:33 +0000)
committer	Tom Hughes <tom@compton.nu>
	Sun, 5 Mar 2023 15:33:44 +0000 (15:33 +0000)