src: connlimit support

This patch adds support for the new connlimit stateful expression, that
provides a mapping with the connlimit iptables extension through meters.
eg.

  nft add rule filter input tcp dport 22 \
	meter test { ip saddr ct count over 2 } counter reject

This limits the maximum amount incoming of SSH connections per source
address up to 2 simultaneous connections.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 21 insertions, 0 deletions

diff --git a/src/statement.c b/src/statement.c
index 4a646e06..6f490132 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -149,6 +149,27 @@ struct stmt *meter_stmt_alloc(const struct location *loc)
 	return stmt_alloc(loc, &meter_stmt_ops);
 }
 
+static void connlimit_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
+{
+	nft_print(octx, "ct count %s%u ",
+		  stmt->connlimit.flags ? "over " : "", stmt->connlimit.count);
+}
+
+static const struct stmt_ops connlimit_stmt_ops = {
+	.type		= STMT_CONNLIMIT,
+	.name		= "connlimit",
+	.print		= connlimit_stmt_print,
+};
+
+struct stmt *connlimit_stmt_alloc(const struct location *loc)
+{
+	struct stmt *stmt;
+
+	stmt = stmt_alloc(loc, &connlimit_stmt_ops);
+	stmt->flags |= STMT_F_STATEFUL;
+	return stmt;
+}
+
 static void counter_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
 	nft_print(octx, "counter");