| 123456789101112131415161718192021222324252627282930313233343536 |
- Match by how many bytes or packets a connection (or one of the two
- flows constituting the connection) has transferred so far, or by
- average bytes per packet.
- .PP
- The counters are 64-bit and are thus not expected to overflow ;)
- .PP
- The primary use is to detect long-lived downloads and mark them to be
- scheduled using a lower priority band in traffic control.
- .PP
- The transferred bytes per connection can also be viewed through
- `conntrack \-L` and accessed via ctnetlink.
- .PP
- NOTE that for connections which have no accounting information, the match will
- always return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls
- whether \fBnew\fP connections will be byte/packet counted. Existing connection
- flows will not be gaining/losing a/the accounting structure when be sysctl flag
- is flipped.
- .TP
- [\fB!\fP] \fB\-\-connbytes\fP \fIfrom\fP[\fB:\fP\fIto\fP]
- match packets from a connection whose packets/bytes/average packet
- size is more than FROM and less than TO bytes/packets. if TO is
- omitted only FROM check is done. "!" is used to match packets not
- falling in the range.
- .TP
- \fB\-\-connbytes\-dir\fP {\fBoriginal\fP|\fBreply\fP|\fBboth\fP}
- which packets to consider
- .TP
- \fB\-\-connbytes\-mode\fP {\fBpackets\fP|\fBbytes\fP|\fBavgpkt\fP}
- whether to check the amount of packets, number of bytes transferred or
- the average size (in bytes) of all packets received so far. Note that
- when "both" is used together with "avgpkt", and data is going (mainly)
- only in one direction (for example HTTP), the average packet size will
- be about half of the actual data packets.
- .TP
- Example:
- iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both \-\-connbytes\-mode bytes ...
|
