Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Sure. The quota match allows you to specify an absolute maximum number of bytes for any traffic traversing the rule. After the quota is surpassed, the rule no longer evaluates to true. It does this by initializing a 64-bit counter to some specified value (so the maximum specifiable quota value is 18446744073709551615 bytes). The counter will be decremented by the buffer size every time a packet encounters the match. Each counter is independent, and when a counter reaches zero, the match evaluates to false.
For example, let’s say I route traffic to three clients: A, B, and C (whose IP addresses are 10.0.0.10, 10.0.0.11, and 10.0.0.12 respectively). My policy is that client A will be capped at a limit of 1GB (1073741824 bytes), and clients B and C share a quota of 2GB (2147483648 bytes). This means that once the combined traffic of B and C reaches 2GB, neither of them will have access to my packet forwarding. So in the filter table, I might have these rules (implementing two separate quotas):
Code:
iptables -N A
iptables -N B_AND_C
iptables -P FORWARD DROP
iptables -A A -m quota --quota 1073741824 -j ACCEPT
iptables -A B_AND_C -m quota --quota 2147483648 -j ACCEPT
iptables -A FORWARD -s 10.0.0.10 -j A
iptables -A FORWARD -d 10.0.0.10 -j A
iptables -A FORWARD -s 10.0.0.11 -j B_AND_C
iptables -A FORWARD -d 10.0.0.11 -j B_AND_C
iptables -A FORWARD -s 10.0.0.12 -j B_AND_C
iptables -A FORWARD -d 10.0.0.12 -j B_AND_C
iptables -A A -j DROP
iptables -A B_AND_C -j DROP
Notice that any traffic destined for or originating from our clients’ (and only our clients’) IP addresses will jump to the appropriate chain. So this setup is too simple to be used in a situation where at least one of the clients is routing (when it is forwarding packets without translation) and is in our routes to other addresses/networks.
Last edited by osor; 10-22-2007 at 07:01 PM.
Reason: No policies for user-defined chains
This is the inelegant part. You see, the kernel-level code for the quota match is very simple. An advantage of this is that code maintenance is very easy. A disadvantage is that there is no way to modify a state from userspace (i.e., you may only create and delete quotas, but once you’ve created them, they must run their course). This is different from other such netfilter modules (e.g., recent) which offer a /proc filesystem interface for managing their respective properties.
So the only way to “reset” a quota is to delete and re-add the rule. E.g., if you are reseting client A’s quota in the example from post four, try this:
Code:
iptables -D A 1
iptables -I A -m quota --quota 1073741824 -j ACCEPT
This sort of “reset” functionality may be added to a monthly cron script or the like.
An additional caveat (caused by the lack of /proc interface) is the inability to save the state and reload it. So once the router is powercycled, even if you use iptables-save and iptables-restore, you will inadvertently reset the quota (i.e., there is as of yet no way to remember how much of the quota your client has used when you restart the computer). The only way to prevent this is to keep your computer running all the time (which is not so unusual for a router).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.