On Fri, Dec 20, 2013 at 01:34:00PM -0700, Mathieu Poirier wrote: > On 19 December 2013 12:43, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: [...] > > Thinking again on the event delivery, I think it's better if the > > nfacct match using the new --quota does not deliver the event itself. > > You can use libnetfilter_queue instead, eg. > > > > iptables -I INPUT -p icmp \ > > -m nfacct icmp --quota 12345 --mode bytes --match-once \ > > -j NFLOG --nflog-prefix "icmp: " --nflog-group 34 > > > > The --once parameter tells to match only if you just crossed the quota > > limit (so the event is sent once). The idea is to use nflog to deliver > > the event, which is way more flexible as it includes useful > > information. > > I'm not against the idea as it is less code for me to write. Is this > "--match-one" thing already available? If not I'll come up with it. The --match-once that I propose is specific to nfacct, so you need to add a new flag to indicate this matching mode and return true only once for that rule. > Just to be clear, if "--match-one" isn't specified a message is sent > each time we try to send a packets and the quota has been reached. Exactly, in the example I provided above, if no --match-once is specified, you will get a log message per packet over quota. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
