nftables - quota isn't working?

nftables - quota isn't working?

[pauloric]

Hi all


Reading https://wiki.nftables.org/wiki-nftables/index.php/Quotas

I have been testing quota but I have a doubt.

a) If I use this rule below , quota reaches its value, but download continues.

insert rule inet filter FORWARD ip daddr 192.168.10.11 quota until 2 mbytes counter accept comment "paulo-quota"

nft list ruleset | grep 'paulo-quota'
ip daddr 192.168.10.11 quota 2 mbytes used 2 mbytes counter packets 1074 bytes 2094663 accept comment "paulo-quota"



b) But if I invert logic, download stops.

insert rule inet filter FORWARD ip daddr 192.168.10.11 quota over 2 mbytes counter drop comment "paulo-quota"


debian-10.10.0-amd64-netinst.iso
https://gemmei.ftp.acc.umu.se/debian-cd/current/amd64/iso-cd/debian-10.10.0-amd64-netinst.iso
0 B/s - 22,9 MB de 336 MB



Should a) have the same result as b) ?

Ubuntu 20.04.2
5.4.0-47-generic #51-Ubuntu SMP
nftables 0.9.3-2

Thanks in advanced

-- 
Paulo Ricardo Bruck consultor 

Re: nftables - quota isn't working?

[pauloric]

I think that I find the 'error'.

Quota follows same rules that limit?

https://wiki.nftables.org/wiki-nftables/index.php/Rate_limiting_matchings

If it's correct it should be good to alert users that ares reading https://wiki.nftables.org/wiki-nftables/index.php/Quotas that Quotas follow same rules that limit.... 80)

best regards


----- Mensagem original -----
De: "pauloric" <pauloric@contatogs.com.br>
Para: "netfilter" <netfilter@vger.kernel.org>
Cc: "pauloric" <pauloric@contatogs.com.br>
Enviadas: Quinta-feira, 12 de agosto de 2021 10:01:34
Assunto: nftables - quota isn't working?

Hi all


Reading https://wiki.nftables.org/wiki-nftables/index.php/Quotas

I have been testing quota but I have a doubt.

a) If I use this rule below , quota reaches its value, but download continues.

insert rule inet filter FORWARD ip daddr 192.168.10.11 quota until 2 mbytes counter accept comment "paulo-quota"

nft list ruleset | grep 'paulo-quota'
ip daddr 192.168.10.11 quota 2 mbytes used 2 mbytes counter packets 1074 bytes 2094663 accept comment "paulo-quota"



b) But if I invert logic, download stops.

insert rule inet filter FORWARD ip daddr 192.168.10.11 quota over 2 mbytes counter drop comment "paulo-quota"


debian-10.10.0-amd64-netinst.iso
https://gemmei.ftp.acc.umu.se/debian-cd/current/amd64/iso-cd/debian-10.10.0-amd64-netinst.iso
0 B/s - 22,9 MB de 336 MB



Should a) have the same result as b) ?

Ubuntu 20.04.2
5.4.0-47-generic #51-Ubuntu SMP
nftables 0.9.3-2

Thanks in advanced

-- 
Paulo Ricardo Bruck consultor
-- 
Pau lo Ricardo Bruck consultor 
tel 011 3596-4881 011 
cel 98140-9184(TIM/Whats) 
[ http://www.contatogs.com.br/ | http ] [ http://www.contatogs.com.br/ | s://www.contatoglobal.com.br ] 


Domou arigatou gozaimasu

Re: nftables - quota isn't working?

[Florian Westphal]

pauloric@contatogs.com.br <pauloric@contatogs.com.br> wrote:
> I think that I find the 'error'.
> 
> Quota follows same rules that limit?
>
> https://wiki.nftables.org/wiki-nftables/index.php/Rate_limiting_matchings

Yes, they do not 'drop' packets when the quota expires, it just stops
matching (or starts matching, depending wheter its 'until' or 'over'
mode).