Difference between revisions of "Quotas"
Jump to navigation
Jump to search
(Initial quotas page.) |
(→Declaring and using named quotas: Add optional comment attribute.) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
A ''quota'': | A ''quota'': | ||
<ol> | |||
<li>defines a threshold number of bytes;</li> | |||
<li>sets an initial byte count (defaults to 0 bytes if not specified);</li> | |||
<li>counts the total number of bytes, starting from the initial count; and</li> | |||
<li>matches either: | |||
<ol style="list-style-type:lower-alpha"> | |||
<li>only ''until'' the byte count exceeds the threshold, or</li> | |||
<li>only after the byte count is ''over'' the threshold.</li> | |||
</ol> | |||
</ol> | |||
= Anonymous quotas = | |||
An anonymous quota is local to the single rule in which it appears. The following example uses an anonymous quota to allow only up to 100 mbytes to port udp/5060: | |||
<source> | <source> | ||
table inet | table inet anon_quota_demo { | ||
chain IN { | |||
type filter hook input priority filter; policy drop; | |||
chain | udp dport 5060 quota until 100 mbytes accept | ||
type filter hook | } | ||
udp dport 5060 quota name " | } | ||
</source> | |||
= Named quotas = | |||
== Declaring and using named quotas == | |||
You can also declare named quotas, which can be used in multiple rules and maps (only as values, not as keys), as well as reset. For example: | |||
<source> | |||
table inet quota_demo { | |||
quota q_until_sip { until 100 mbytes used 0 bytes } | |||
quota q_over_http { over 500 mbytes ; comment "cap http (but not https)" ; } | |||
chain IN { | |||
type filter hook input priority filter; policy drop; | |||
udp dport 5060 quota name "q_until_sip" accept | |||
tcp dport 80 quota name "q_over_http" drop | |||
tcp dport { 80, 443 } accept | |||
} | } | ||
| Line 20: | Line 48: | ||
</source> | </source> | ||
The above ruleset defines a | The above ruleset defines a couple named quotas, each with initial count of 0 bytes. The rules in input chain ''IN'' use these named quotas to: | ||
* accept only up to 100 mbytes total to udp/5060, then drop any additional packets to this (sip) port; | |||
* accept only up to 500 mbytes total to tcp/80, then drop any additional packets to this (http) port; | |||
* accept unlimited packets to tcp/443 (https); | |||
* drop any other packets (note drop policy). | |||
The optional ''comment'' attribute requires at least nftables 0.9.7 and kernel 5.10. | |||
== Listing named quotas == | |||
''nft list [quota | quotas]'' (as per below) returns the quota(s) with current byte count. | |||
* List a particular quota: | |||
<source> | |||
% nft list quota inet quota_demo q_over_http | |||
</source> | |||
* List all quotas in a particular table: | |||
<source> | |||
% nft list quotas table inet quota_demo | |||
</source> | |||
* List all quotas in ruleset: | |||
<source> | |||
% nft list quotas | |||
</source> | |||
== Resetting named quotas == | |||
Resetting a quota dumps its current byte count and then resets the byte count to its initial value. | |||
* Reset a particular quota: | |||
<source> | |||
% nft reset quota inet quota_demo q_until_sip | |||
</source> | |||
* Reset all quotas in a particular table: | |||
<source> | |||
% nft reset quotas table inet quota_demo | |||
</source> | |||
* Reset all quotas in ruleset: | |||
<source> | |||
% nft reset quotas | |||
</source> | |||
'''Note:''' Resetting quotas does not reset anonymous quotas, see [https://bugzilla.netfilter.org/show_bug.cgi?id=1314 bug #1314]. | |||
Latest revision as of 19:42, 1 November 2021
A quota:
- defines a threshold number of bytes;
- sets an initial byte count (defaults to 0 bytes if not specified);
- counts the total number of bytes, starting from the initial count; and
- matches either:
- only until the byte count exceeds the threshold, or
- only after the byte count is over the threshold.
Anonymous quotas
An anonymous quota is local to the single rule in which it appears. The following example uses an anonymous quota to allow only up to 100 mbytes to port udp/5060:
table inet anon_quota_demo {
chain IN {
type filter hook input priority filter; policy drop;
udp dport 5060 quota until 100 mbytes accept
}
}Named quotas
Declaring and using named quotas
You can also declare named quotas, which can be used in multiple rules and maps (only as values, not as keys), as well as reset. For example:
table inet quota_demo {
quota q_until_sip { until 100 mbytes used 0 bytes }
quota q_over_http { over 500 mbytes ; comment "cap http (but not https)" ; }
chain IN {
type filter hook input priority filter; policy drop;
udp dport 5060 quota name "q_until_sip" accept
tcp dport 80 quota name "q_over_http" drop
tcp dport { 80, 443 } accept
}
}The above ruleset defines a couple named quotas, each with initial count of 0 bytes. The rules in input chain IN use these named quotas to:
- accept only up to 100 mbytes total to udp/5060, then drop any additional packets to this (sip) port;
- accept only up to 500 mbytes total to tcp/80, then drop any additional packets to this (http) port;
- accept unlimited packets to tcp/443 (https);
- drop any other packets (note drop policy).
The optional comment attribute requires at least nftables 0.9.7 and kernel 5.10.
Listing named quotas
nft list [quota | quotas] (as per below) returns the quota(s) with current byte count.
- List a particular quota:
% nft list quota inet quota_demo q_over_http- List all quotas in a particular table:
% nft list quotas table inet quota_demo- List all quotas in ruleset:
% nft list quotas
Resetting named quotas
Resetting a quota dumps its current byte count and then resets the byte count to its initial value.
- Reset a particular quota:
% nft reset quota inet quota_demo q_until_sip- Reset all quotas in a particular table:
% nft reset quotas table inet quota_demo- Reset all quotas in ruleset:
% nft reset quotasNote: Resetting quotas does not reset anonymous quotas, see bug #1314.