Re: [PATCH 1/1] netfilter: xtables: add quota support to nfacct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 30 December 2013 10:36, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Sun, Dec 29, 2013 at 02:53:15PM -0700, Mathieu Poirier wrote:
>> On 21 December 2013 01:55, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>> > On Fri, Dec 20, 2013 at 01:34:00PM -0700, Mathieu Poirier wrote:
>> >> On 19 December 2013 12:43, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>> > [...]
>> >> > Thinking again on the event delivery, I think it's better if the
>> >> > nfacct match using the new --quota does not deliver the event itself.
>> >> > You can use libnetfilter_queue instead, eg.
>> >> >
>> >> >         iptables -I INPUT -p icmp \
>> >> >                  -m nfacct icmp --quota 12345 --mode bytes --match-once \
>> >> >                  -j NFLOG --nflog-prefix "icmp: " --nflog-group 34
>> >> >
>>
>> Thinking further on this...
>>
>> Unless I'm missing something the above only specifies when to log
>> quota transgression, hence introducing the need to write yet another
>> rule do explicitly deal with the packet.  My previous solution logged
>> quota excess _and_ dealt with the packet.
>
> What kind of "deal with the packet" you need to make in case you
> reach the quota? Please, elaborate your use case with hypothetical
> (iptables) examples so I can help better.

Apologies for not expressing myself clearly.

iptables -I OUTPUT -p http \
        -m nfacct --nfacct-name icmp-limit --quota 10000 -j REJECT

Upon reaching the limit of 10000 byte of http traffic, any outgoing
http packets will be dropped and a single broadcast message will be
sent to user space.  That is because the match explicitly takes care
of sending the notification.

With your proposal:

iptables -I OUTPUT -p http \
         -m nfacct --nfacct-name http-limit --quota 10000 --match-once \
         -j NFLOG --nflog-prefix "http: " --nflog-group 34

will log the quota reached event but won't prevent further http
traffic from going out.  One could instinctively add another rule
right after the above one, something like:

iptables -I OUTPUT -p http \
         -m nfacct --nfacct-name http-limit --quota 10000 \
         -j REJECT

but that won't work either because the packet/byte could will be
incremented twice.

>
>> Using ' nfulnl_log_packet()' (if even possible) would seem hackish to me.
>
> That don't like that choice either.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux