Quotas

From nftables wiki
Revision as of 18:27, 6 April 2021 by Fmyhr (talk | contribs) (Be a bit more explicit in intro. Include anonymous as well as named quotas.)
Jump to navigation Jump to search

A quota:

  1. defines a threshold number of bytes;
  2. sets an initial byte count (defaults to 0 bytes if not specified);
  3. counts the total number of bytes; and
  4. matches either:
    1. only until the byte count exceeds the threshold, or
    2. only after the byte count is over the threshold.


Anonymous quotas

An anonymous quota is local to the single rule in which it appears. The following example uses an anonymous quota to allow only up to 100 mbytes to port udp/5060:

table inet anon_quota_demo {
    chain IN {
        type filter hook input priority filter; policy drop;
        udp dport 5060 quota until 100 mbytes accept
    }
}

Named quotas

You can also declare named quotas, which can be used in multiple rules and maps (only as values, not as keys), as well as reset. For example:

table inet t_quota_demo {
   quota q_over_sip { over 100 mbytes used 0 bytes }

   chain c_sip { 
      type filter hook postrouting priority filter; policy accept;
      udp dport 5060 quota name "q_over_sip" drop
   }

}

The above ruleset defines a q_over_sip quota of over 100 mbytes with initial count of 0 bytes. The rule in chain c_sip counts the total bytes of all packets to udp/5060 towards this quota. Packets to udp/5060 are accepted as long as this byte count remains <= 100 mbytes; once this threshold is exceeded, such packets are dropped.