From cc906541476ff96d229ee2e400571050a8cd3a60 Mon Sep 17 00:00:00 2001
From: Fengyu Wu <saldry@proton.me>
Date: Wed, 7 Jan 2026 21:46:38 +0800
Subject: [PATCH] templates: allow inverted limits

Translate inverted limits to nft `limit rate over` which specifies that
the rule is matching packets over the rate limit.

Signed-off-by: Fengyu Wu <saldry@proton.me>
---
 root/usr/share/firewall4/templates/mangle-rule.uc | 2 +-
 root/usr/share/firewall4/templates/redirect.uc    | 2 +-
 root/usr/share/firewall4/templates/rule.uc        | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/root/usr/share/firewall4/templates/mangle-rule.uc b/root/usr/share/firewall4/templates/mangle-rule.uc
index 90637bb..41fd119 100644
--- a/root/usr/share/firewall4/templates/mangle-rule.uc
+++ b/root/usr/share/firewall4/templates/mangle-rule.uc
@@ -35,7 +35,7 @@
 {%+ if (rule.helper): -%}
 	ct helper{% if (rule.helper.invert): %} !={% endif %} {{ fw4.quote(rule.helper.name, true) }} {%+ endif -%}
 {%+ if (rule.limit): -%}
-	limit rate {{ rule.limit.rate }}/{{ rule.limit.unit }}
+	limit rate{% if (rule.limit.invert): %} over{% endif %} {{ rule.limit.rate }}/{{ rule.limit.unit }}
 	{%- if (rule.limit_burst): %} burst {{ rule.limit_burst }} packets{% endif %} {%+ endif -%}
 {%+ if (rule.start_date): -%}
 	meta time >= {{
diff --git a/root/usr/share/firewall4/templates/redirect.uc b/root/usr/share/firewall4/templates/redirect.uc
index f24872c..9a9b729 100644
--- a/root/usr/share/firewall4/templates/redirect.uc
+++ b/root/usr/share/firewall4/templates/redirect.uc
@@ -33,7 +33,7 @@
 {%+ if (redirect.helper): -%}
 	ct helper{% if (redirect.helper.invert): %} !={% endif %} {{ fw4.quote(redirect.helper.name, true) }} {%+ endif -%}
 {%+ if (redirect.limit): -%}
-	limit rate {{ redirect.limit.rate }}/{{ redirect.limit.unit }}
+	limit rate{% if (redirect.limit.invert): %} over{% endif %} {{ redirect.limit.rate }}/{{ redirect.limit.unit }}
 	{%- if (redirect.limit_burst): %} burst {{ redirect.limit_burst }} packets{% endif %} {%+ endif -%}
 {%+ if (redirect.start_date && redirect.stop_date): -%}
 	meta time {{ fw4.datestamp(redirect.start_date) }}-{{ fw4.datestamp(redirect.stop_date) }} {%+
diff --git a/root/usr/share/firewall4/templates/rule.uc b/root/usr/share/firewall4/templates/rule.uc
index 2843d92..384d467 100644
--- a/root/usr/share/firewall4/templates/rule.uc
+++ b/root/usr/share/firewall4/templates/rule.uc
@@ -39,7 +39,7 @@
 {%+ if (rule.helper): -%}
 	ct helper{% if (rule.helper.invert): %} !={% endif %} {{ fw4.quote(rule.helper.name, true) }} {%+ endif -%}
 {%+ if (rule.limit): -%}
-	limit rate {{ rule.limit.rate }}/{{ rule.limit.unit }}
+	limit rate{% if (rule.limit.invert): %} over{% endif %} {{ rule.limit.rate }}/{{ rule.limit.unit }}
 	{%- if (rule.limit_burst): %} burst {{ rule.limit_burst }} packets{% endif %} {%+ endif -%}
 {%+ if (rule.start_date && rule.stop_date): -%}
 	meta time {{ fw4.datestamp(rule.start_date) }}-{{ fw4.datestamp(rule.stop_date) }} {%+