On 30 December 2013 15:17, Mathieu Poirier <mathieu.poirier@xxxxxxxxxx> wrote: > Hey Florian - I think that is an acceptable compromise. The LOG chain > and rules are extra but it is setup only once and as such scale well. > > Thank you for that, > Mathieu > > On 30 December 2013 14:46, Florian Westphal <fw@xxxxxxxxx> wrote: >> Mathieu Poirier <mathieu.poirier@xxxxxxxxxx> wrote: >>> Upon reaching the limit of 10000 byte of http traffic, any outgoing >>> http packets will be dropped and a single broadcast message will be >>> sent to user space. That is because the match explicitly takes care >>> of sending the notification. >>> >>> With your proposal: >>> >>> iptables -I OUTPUT -p http \ >>> -m nfacct --nfacct-name http-limit --quota 10000 --match-once \ >>> -j NFLOG --nflog-prefix "http: " --nflog-group 34 >>> >>> will log the quota reached event but won't prevent further http >>> traffic from going out. One could instinctively add another rule >>> right after the above one, something like: >>> >>> iptables -I OUTPUT -p http \ >>> -m nfacct --nfacct-name http-limit --quota 10000 \ >>> -j REJECT >>> >>> but that won't work either because the packet/byte could will be >>> incremented twice. >> >> The usual workaround is to create custom chains to deal with this, >> i.e. >> iptables -N LOG_DROP_HTTP >> iptables -A LOG_DROP_HTTP -j NFLOG --nflog-prefix "http: " --nflog-group 34 >> iptables -A LOG_DROP_HTTP -j REJECT >> iptables -I OUTPUT -p http -m nfacct ... -j LOG_DROP_HTTP I may have spoken too quickly. With this solution a log message is sent every time a packet over quota is received, something we definitely want to avoid. I was able to cover that case when sending a notification from the match function. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html