From: Tom Hughes <tom@compton.nu>
Date: Sun, 5 Mar 2023 15:33:44 +0000 (+0000)
Subject: Enable connections limits on a per-source basis
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/19bd4c00c87894245afe4dfdead618b356e6cf2f

Enable connections limits on a per-source basis
---

diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb
index 36500c022..665c0cb84 100644
--- a/cookbooks/networking/resources/firewall_rule.rb
+++ b/cookbooks/networking/resources/firewall_rule.rb
@@ -133,9 +133,13 @@ action_class do
       rule << "ct state new"
     end
 
-    # if new_resource.connection_limit != "-"
-    #   rule << "ct count #{new_resource.connection_limit}"
-    # end
+    if new_resource.connection_limit != "-"
+      set = "connlimit-#{new_resource.rule}-#{ip}"
+
+      node.default[:networking][:firewall][:sets] << set
+
+      rule << "add @#{set} { #{ip} saddr ct count #{new_resource.connection_limit} }"
+    end
 
     # if new_resource.rate_limit =~ %r{^s:(\d+)/sec:(\d+)$}
     #   set = "#{new_resource.rule}-#{ip}"