I would like to configure the Netfilter to limit the number of connections of a "certain type". The connlimit match does not seem to meet my needs. From the man page,
"... Allows you to restrict the number of parallel connections to a server per client IP address (or client address block). ..."
the connlimit match counts the connection to a server (a single destination IP, I suppose) from an IP address (client IP) or client address block.
I would rather count (and limit) the number of connections based on my own classification. For example, I would like to limit the number of connection from IPs in a given subnet and directed to IPs in another
given subnet.
I guess I can reach the goal using the quota2 match, which give me the ability to increase and decrease a counter: essentially I'll increase the counter with a SYN packet and decrease the counter with a FIN packet. But this solution is incomplete: it can not count the connections not closed with a FIN packet (time outed connections) and It can't manage the UDP connections (already properly managed by the conntrack module).