issue with the quota match

issue with the quota match

[Borja Pacheco]

Hi all,

I've tried the quota extension and I have a big question about it,
because the module and the kernel counter doesn't agree with the packets
number that have traversed the interfaces...

Here it's the example I tried:


In a first moment I insert a rule with an initial quota of 1000 bytes...
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           quota: 1000 bytes

Next, I generate packets and here it's the amazing result....
    8   448 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           quota: 712 bytes

Theoretically, 1000 assigned bytes minus total traffic generated (448
bytes), must originate the remaining quota the rule has: 552. 
BUT IT SAYS 712 BYTES!!!!!

What's wrong????


Thanks in advance for your clarifications.
Best regards.

Re: issue with the quota match

[Pablo Neira]

Borja Pacheco wrote:
> In a first moment I insert a rule with an initial quota of 1000 bytes...
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           quota: 1000 bytes
> 
> Next, I generate packets and here it's the amazing result....
>     8   448 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           quota: 712 bytes
> 
> Theoretically, 1000 assigned bytes minus total traffic generated (448
> bytes), must originate the remaining quota the rule has: 552. 
> BUT IT SAYS 712 BYTES!!!!!

quota doesn't count the ip headers (20 bytes). Some maths:

8 packets x 20 bytes = 160 bytes
552 + 160 = 712 bytes

--
Pablo

Re: issue with the quota match

[Brad Fisher]

Pablo Neira wrote:

> Borja Pacheco wrote:
>
>> In a first moment I insert a rule with an initial quota of 1000 bytes...
>>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           quota: 1000 bytes
>>
>> Next, I generate packets and here it's the amazing result....
>>     8   448 ACCEPT     all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           quota: 712 bytes
>>
>> Theoretically, 1000 assigned bytes minus total traffic generated (448
>> bytes), must originate the remaining quota the rule has: 552. BUT IT 
>> SAYS 712 BYTES!!!!!
>
>
> quota doesn't count the ip headers (20 bytes). Some maths:
>
> 8 packets x 20 bytes = 160 bytes
> 552 + 160 = 712 bytes
>
> -- 
> Pablo
>
>
> !DSPAM:42491732223341143723889!
>
I had submitted a patch at one time that added an option to the quota 
match to tell it to count the headers...  If anyone's interested I could 
post it again (or you could try searching the list archive), but it is 
probably a little dated at the moment since I haven't done any work on 
it in quite a while...

-Brad

Re: issue with the quota match

[Patrick McHardy]

Brad Fisher wrote:
> I had submitted a patch at one time that added an option to the quota 
> match to tell it to count the headers...  If anyone's interested I could 
> post it again (or you could try searching the list archive), but it is 
> probably a little dated at the moment since I haven't done any work on 
> it in quite a while...

This is _ip_-tables, so not counting the IP-header doesn't make much
sense too me. I would prefer makeing this the default behaviour, with
a warning in the help-text.

Regards
Patrick