On Mon, Dec 30, 2013 at 04:14:21PM -0700, Mathieu Poirier wrote: > On 30 December 2013 15:17, Mathieu Poirier <mathieu.poirier@xxxxxxxxxx> wrote: > > Hey Florian - I think that is an acceptable compromise. The LOG chain > > and rules are extra but it is setup only once and as such scale well. > > > > Thank you for that, > > Mathieu > > > > On 30 December 2013 14:46, Florian Westphal <fw@xxxxxxxxx> wrote: > >> Mathieu Poirier <mathieu.poirier@xxxxxxxxxx> wrote: > >>> Upon reaching the limit of 10000 byte of http traffic, any outgoing > >>> http packets will be dropped and a single broadcast message will be > >>> sent to user space. That is because the match explicitly takes care > >>> of sending the notification. > >>> > >>> With your proposal: > >>> > >>> iptables -I OUTPUT -p http \ > >>> -m nfacct --nfacct-name http-limit --quota 10000 --match-once \ > >>> -j NFLOG --nflog-prefix "http: " --nflog-group 34 > >>> > >>> will log the quota reached event but won't prevent further http > >>> traffic from going out. One could instinctively add another rule > >>> right after the above one, something like: > >>> > >>> iptables -I OUTPUT -p http \ > >>> -m nfacct --nfacct-name http-limit --quota 10000 \ > >>> -j REJECT > >>> > >>> but that won't work either because the packet/byte could will be > >>> incremented twice. > >> > >> The usual workaround is to create custom chains to deal with this, > >> i.e. > >> iptables -N LOG_DROP_HTTP > >> iptables -A LOG_DROP_HTTP -j NFLOG --nflog-prefix "http: " --nflog-group 34 > >> iptables -A LOG_DROP_HTTP -j REJECT > >> iptables -I OUTPUT -p http -m nfacct ... -j LOG_DROP_HTTP > > I may have spoken too quickly. With this solution a log message is > sent every time a packet over quota is received, something we > definitely want to avoid. I was able to cover that case when sending > a notification from the match function. Then, keep your code to send netlink notifications, I don't find any better solution at this moment. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
