Mathieu Poirier <mathieu.poirier@xxxxxxxxxx> wrote: > Upon reaching the limit of 10000 byte of http traffic, any outgoing > http packets will be dropped and a single broadcast message will be > sent to user space. That is because the match explicitly takes care > of sending the notification. > > With your proposal: > > iptables -I OUTPUT -p http \ > -m nfacct --nfacct-name http-limit --quota 10000 --match-once \ > -j NFLOG --nflog-prefix "http: " --nflog-group 34 > > will log the quota reached event but won't prevent further http > traffic from going out. One could instinctively add another rule > right after the above one, something like: > > iptables -I OUTPUT -p http \ > -m nfacct --nfacct-name http-limit --quota 10000 \ > -j REJECT > > but that won't work either because the packet/byte could will be > incremented twice. The usual workaround is to create custom chains to deal with this, i.e. iptables -N LOG_DROP_HTTP iptables -A LOG_DROP_HTTP -j NFLOG --nflog-prefix "http: " --nflog-group 34 iptables -A LOG_DROP_HTTP -j REJECT iptables -I OUTPUT -p http -m nfacct ... -j LOG_DROP_HTTP -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
