--- zzzz-none-000/linux-4.19.183/net/netfilter/xt_connlimit.c	2021-03-24 10:07:39.000000000 +0000
+++ bcm63-7530ax-756/linux-4.19.183/net/netfilter/xt_connlimit.c	2023-06-28 08:54:21.000000000 +0000
@@ -60,13 +60,33 @@
 		key[4] = zone->id;
 	} else {
 		const struct iphdr *iph = ip_hdr(skb);
+#if defined(CONFIG_BCM_KF_NETFILTER)
+		key[0] = (info->flags & (XT_CONNLIMIT_DADDR | XT_CONNLIMIT_DADDR_DPORT)) ?
+#else
 		key[0] = (info->flags & XT_CONNLIMIT_DADDR) ?
+#endif
 			  iph->daddr : iph->saddr;
 
 		key[0] &= info->mask.ip;
 		key[1] = zone->id;
 	}
 
+#if defined(CONFIG_BCM_KF_NETFILTER)
+	if((xt_family(par) == NFPROTO_IPV4) && (info->flags &  XT_CONNLIMIT_DADDR_DPORT)){
+
+		/*add dport to the key */
+		key[2] = tuple_ptr->dst.u.all;	
+
+		/*check the existing connetion count, don't add new connections to this
+		 * once limit is reached(needed for SNAT), passing NULL tuple_ptr gives
+		 * count with out adding the current connection
+		 */
+		connections = nf_conncount_count(net, info->data, key, NULL, zone);
+		if((connections >= info->limit) && (info->flags & XT_CONNLIMIT_INVERT))
+			return false;
+	}
+#endif
+
 	connections = nf_conncount_count(net, info->data, key, tuple_ptr,
 					 zone);
 	if (connections == 0)
@@ -89,7 +109,12 @@
 	if (par->family == NFPROTO_IPV6)
 		keylen += sizeof(struct in6_addr);
 	else
+#if defined(CONFIG_BCM_KF_NETFILTER)
+		/* increase keylen for dport */
+		keylen += (sizeof(struct in_addr) + sizeof(u32) ) ;
+#else
 		keylen += sizeof(struct in_addr);
+#endif
 
 	/* init private data */
 	info->data = nf_conncount_init(par->net, par->family, keylen);