Quotas

From nftables wiki
Revision as of 17:27, 6 April 2021 by Fmyhr (talk | contribs) (Initial quotas page.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

A quota:

  1. defines a threshold number of bytes;
  2. sets an initial byte count;
  3. counts the total number of bytes; and
  4. matches either until the byte count exceeds the threshold, or only after the byte count is over the threshold.


For example:

table inet t_quota_demo {
   quota q_over_sip { over 100 mbytes used 0 bytes }

   chain c_sip { 
      type filter hook postrouting priority filter; policy accept;
      udp dport 5060 quota name "q_over_sip" drop
   }

}

The above ruleset defines a q_over_sip quota of over 100 mbytes with initial count of 0 bytes. The rule in chain c_sip counts the total bytes of all packets to udp/5060 towards this quota. Packets to udp/5060 are accepted as long as this byte count remains <= 100 mbytes; once this threshold is exceeded, such packets are dropped.