分类: LINUX
2014-11-28 12:02:31
connbytes
Match by how many bytes or packets a
connection (or one of the two
flows constituting the connection) have tranferred so far, or by
aver- age bytes per packet.The counters are 64bit and are thus not expected to
overflow ;)
The primary use is to detect long-lived
downloads and mark them to bescheduled using a lower priority band
in traffic control. The transfered
bytes per connection
can also be viewed through/proc/net/ip_conntrack
and accessed via ctnetlink
[!]
--connbytes from:[to]
match
packets from a connection whose packets/bytes/average
packet size is more than FROM and less than TO bytes/packets. If TO is omitted only FROM check is
done. "!" is used to match
packets not falling in the range.
--connbytes-dir [original|reply|both]
which
packets to consider
--connbytes-mode [packets|bytes|avgpkt]
whether to check the
amount of packets, number of bytes trans-ferred or the average size (in bytes)
of all packets received so far. Note that
when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for
example HTTP),the average packet size will be
about half of the actual data packets.
Example:
iptables ..
-m connbytes --connbytes 10000:100000 --connbytes-
dir both
--connbytes-mode bytes ...
验证:
只取一个链接的前5个packets:
iptables -t mangle -A FORWARD -m connbytes --connbytes 5: --connbytes-dir both --connbytes-mode packets -j DROP
或是:
iptables -t mangle -A FORWARD -m connbytes --connbytes 0:5 --connbytes-dir both --connbytes-mode packets -j ACCEPT
以上这个两个命令均能实现获取一个链接的前N个 packets.
