On Fri, 28 Feb 2020 12:40:39 +0100
Stefano Brivio <sbrivio@xxxxxxxxxx> wrote:
> Hi Jozsef,
>
> On Thu, 27 Feb 2020 21:37:10 +0100 (CET)
> Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx> wrote:
>
> > Hi Stefano,
> >
> > On Tue, 25 Feb 2020, Stefano Brivio wrote:
> >
> > > On Tue, 25 Feb 2020 21:37:45 +0100 (CET)
> > > Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx> wrote:
> > >
> > > > On Tue, 25 Feb 2020, Stefano Brivio wrote:
> > > >
> > > > > > The logic could be changed in the user rules from
> > > > > >
> > > > > > iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP
> > > > > >
> > > > > > to
> > > > > >
> > > > > > iptables -I INPUT -m set --match-set c src --bytes-lt 800 -j ACCEPT
> > > > > > [ otherwise DROP ]
> > > > > >
> > > > > > but of course it might be not so simple, depending on how the rules are
> > > > > > built up.
> > > > >
> > > > > Yes, it would work, unless the user actually wants to check with the
> > > > > same counter how many bytes are sent "in excess".
> > > >
> > > > You mean the counters are still updated whenever the element is matched in
> > > > the set and then one could check how many bytes were sent over the
> > > > threshold just by listing the set elements.
> > >
> > > Yes, exactly -- note that it was possible (and, I think, used) before.
> >
> > I'm still not really convinced about such a feature. Why is it useful to
> > know how many bytes would be sent over the "limit"?
>
> This is useful in case one wants different treatments for packets
> according to a number of thresholds in different rules. For example,
>
> iptables -I INPUT -m set --match-set c src --bytes-lt 100 -j noise
> iptables -I noise -m set --match-set c src --bytes-lt 20000 -j download
^^ gt, of
course :)
--
Stefano
