Mathieu Poirier <mathieu.poirier@xxxxxxxxxx> wrote: > >>> will log the quota reached event but won't prevent further http > >>> traffic from going out. One could instinctively add another rule > >>> right after the above one, something like: > >>> > >>> iptables -I OUTPUT -p http \ > >>> -m nfacct --nfacct-name http-limit --quota 10000 \ > >>> -j REJECT > >>> > >>> but that won't work either because the packet/byte could will be > >>> incremented twice. > >> > >> The usual workaround is to create custom chains to deal with this, > >> i.e. > >> iptables -N LOG_DROP_HTTP > >> iptables -A LOG_DROP_HTTP -j NFLOG --nflog-prefix "http: " --nflog-group 34 > >> iptables -A LOG_DROP_HTTP -j REJECT > >> iptables -I OUTPUT -p http -m nfacct ... -j LOG_DROP_HTTP > > I may have spoken too quickly. With this solution a log message is > sent every time a packet over quota is received, something we > definitely want to avoid. I was able to cover that case when sending > a notification from the match function. I see. I have no nice solution for this problem. What could be done is adding a --check-only option to nfacct to only query but not increment the quota counter, then you could use the 'two-rules' approach you described earlier. (one rule to increment quotas per-packet but only match exactly once when the current packet brings us over the quota, another rule to 'passively' check against the limit). Another option would be to using connmarks or connlabels to flag when a connection is overlimit or has already been logged. I understand that this would be cumbersome though (also adds the conntrack dependency). -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html