On Sat, 11 May 2013, Dash Four wrote: > Jozsef Kadlecsik wrote: > > Some examples: > > > > a. Traffic counting from clients > > > > # Create the set, fill with elements > > ipset n clients hash:ip counters > > ipset a clients ... > > # Match in a rule > > iptables -A ... -m set --match-set clients src -j ... > > # List regularly the set and process the counter values > > ipset l clients > > > > b. Combined time and traffic limiting > > > > # Create the set, fill with elements > > ipset n guests hash:ip counters timeout $((2*60*60)) > > ipset a guests ... > > # Allow traffic up to a given a limit or until timeout > > iptables -A ... \ > > -m set --match-set guests src --bytes-lt $((8*1024*1024)) ... > > > > There are some subleties of course: if the set match rule is negated > > > > .... -m set ! --match-set foo src > > > > that is independent from increasing the packet and byte counters for the > > elements which matched the lookup in the set - the negation happens at rule > > evaluation level. > > > > As the updated iptables-extensions manpage shows, there are new flags to > > suppress updating the packet and byte counters at different levels if one > > matches a set from multiple rules. > > > Jozsef, where is this updated iptables-extensions manpage you speak of? > > The latest released version of iptables is 1.4.18, which obviously does not > include any of the above since it was released before ipset 6.19. I've just > looked at the main iptables git repo and there aren't any git logs since that > release with anything related to ipset. In the ipset sources, apart from the > main ipset man page, there is nothing there which describes the above iptables > match options. As I wrote in the announcement, it's in the "next" branch of the iptables git tree yet. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
