anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-06 04:35:12 +02:00
Code Issues Releases Wiki Activity
Files
7952a7d253a66a504df0589d4143088213451fe8
xtables-addons/extensions/libxt_quota2.man
Michael Farrell 7952a7d253 quota2: add a no-change mode 
This commit adds an option to xt_quota2 called "no-change". The
effect of this option, when used, is that it will skip incrementing
or decrementing the quota counter, effectively providing a quota test
only.

The reason for implementing this is so that I could have a rule check
if quota is available for a rule in the PREROUTING tables, without
actually decrementing the amount of available quota. I only wanted to
decrement the amount of available quota in the FORWARD rule.
Otherwise, the first packet of every connection would be counted
twice.
2009-12-31 16:24:47 +01:00

38 lines
1.6 KiB
Groff
Raw Blame History

The "quota2" implements a named counter which can be increased or decreased
on a per-match basis. Available modes are packet counting or byte counting.
The value of the counter can be read and reset through procfs, thereby making
this match a minimalist accounting tool.
.PP
When counting down from the initial quota, the counter will stop at 0 and
the match will return false, just like the original "quota" match. In growing
(upcounting) mode, it will always return true.
.TP
\fB\-\-grow\fP
Count upwards instead of downwards.
.TP
\fB\-\-no\-change\fP
Makes it so the counter or quota amount is never changed by packets matching
this rule. This is only really useful in "quota" mode, as it will allow you to
use complex prerouting rules in association with the quota system, without
counting a packet twice.
.TP
\fB\-\-name\fP \fIname\fP
Assign the counter a specific name. This option must be present, as an empty
name is not allowed. Names starting with a dot or names containing a slash are
prohibited.
.TP
[\fB!\fP] \fB\-\-quota\fP \fIiq\fP
Specify the initial quota for this counter. If the counter already exists,
it is not reset. An "!" may be used to invert the result of the match. The
negation has no effect when \fB\-\-grow\fP is used.
.TP
\fB\-\-packets\fP
Count packets instead of bytes that passed the quota2 match.
.PP
Because counters in quota2 can be shared, you can combine them for various
purposes, for example, a bytebucket filter that only lets as much traffic go
out as has come in:
.PP
\-A INPUT \-p tcp \-\-dport 6881 \-m quota \-\-name bt \-\-grow;
\-A OUTPUT \-p tcp \-\-sport 6881 \-m quota \-\-name bt;
Reference in New Issue View Git Blame Copy Permalink