Jozsef Kadlecsik wrote:
Some examples:
a. Traffic counting from clients
# Create the set, fill with elements
ipset n clients hash:ip counters
ipset a clients ...
# Match in a rule
iptables -A ... -m set --match-set clients src -j ...
# List regularly the set and process the counter values
ipset l clients
b. Combined time and traffic limiting
# Create the set, fill with elements
ipset n guests hash:ip counters timeout $((2*60*60))
ipset a guests ...
# Allow traffic up to a given a limit or until timeout
iptables -A ... \
-m set --match-set guests src --bytes-lt $((8*1024*1024)) ...
There are some subleties of course: if the set match rule is negated
.... -m set ! --match-set foo src
that is independent from increasing the packet and byte counters for the
elements which matched the lookup in the set - the negation happens at
rule evaluation level.
As the updated iptables-extensions manpage shows, there are new flags to
suppress updating the packet and byte counters at different levels if one
matches a set from multiple rules.
Jozsef, where is this updated iptables-extensions manpage you speak of?
The latest released version of iptables is 1.4.18, which obviously does
not include any of the above since it was released before ipset 6.19.
I've just looked at the main iptables git repo and there aren't any git
logs since that release with anything related to ipset. In the ipset
sources, apart from the main ipset man page, there is nothing there
which describes the above iptables match options.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
