From 19bd4c00c87894245afe4dfdead618b356e6cf2f Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sun, 5 Mar 2023 15:33:44 +0000
Subject: [PATCH 1/1] Enable connections limits on a per-source basis

---
 cookbooks/networking/resources/firewall_rule.rb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb
index 36500c022..665c0cb84 100644
--- a/cookbooks/networking/resources/firewall_rule.rb
+++ b/cookbooks/networking/resources/firewall_rule.rb
@@ -133,9 +133,13 @@ action_class do
       rule << "ct state new"
     end
 
-    # if new_resource.connection_limit != "-"
-    #   rule << "ct count #{new_resource.connection_limit}"
-    # end
+    if new_resource.connection_limit != "-"
+      set = "connlimit-#{new_resource.rule}-#{ip}"
+
+      node.default[:networking][:firewall][:sets] << set
+
+      rule << "add @#{set} { #{ip} saddr ct count #{new_resource.connection_limit} }"
+    end
 
     # if new_resource.rate_limit =~ %r{^s:(\d+)/sec:(\d+)$}
     #   set = "#{new_resource.rule}-#{ip}"
-- 
2.39.5