From mboxrd@z Thu Jan 1 00:00:00 1970 From: Florian Westphal Subject: Re: [PATCH 1/1] netfilter: xtables: add quota support to nfacct Date: Mon, 30 Dec 2013 22:46:53 +0100 Message-ID: <20131230214653.GP29632@breakpoint.cc> References: <1386780798-24374-1-git-send-email-mathieu.poirier@linaro.org> <1386780798-24374-2-git-send-email-mathieu.poirier@linaro.org> <20131218095322.GA4740@localhost> <20131219194339.GA4561@localhost> <20131221085509.GA4230@localhost> <20131230173655.GA21288@localhost> Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: Sender: netfilter-devel-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Mathieu Poirier Cc: Pablo Neira Ayuso , netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org, John Stultz , JP Abgrall Mathieu Poirier wrote: > Upon reaching the limit of 10000 byte of http traffic, any outgoing > http packets will be dropped and a single broadcast message will be > sent to user space. That is because the match explicitly takes care > of sending the notification. > > With your proposal: > > iptables -I OUTPUT -p http \ > -m nfacct --nfacct-name http-limit --quota 10000 --match-once \ > -j NFLOG --nflog-prefix "http: " --nflog-group 34 > > will log the quota reached event but won't prevent further http > traffic from going out. One could instinctively add another rule > right after the above one, something like: > > iptables -I OUTPUT -p http \ > -m nfacct --nfacct-name http-limit --quota 10000 \ > -j REJECT > > but that won't work either because the packet/byte could will be > incremented twice. The usual workaround is to create custom chains to deal with this, i.e. iptables -N LOG_DROP_HTTP iptables -A LOG_DROP_HTTP -j NFLOG --nflog-prefix "http: " --nflog-group 34 iptables -A LOG_DROP_HTTP -j REJECT iptables -I OUTPUT -p http -m nfacct ... -j LOG_DROP_HTTP