This page documents the usage and syntax of the file /proc/net/netfilter/nf_quota
When the module nf_quota is loaded, it generates the virtual file /proc/net/netfilter/nf_quota This file is used to readout the counter values and to set the host/user configuration from userspace. After loading the module the file contains the following:
glob:quota=0;limit=0
user:name=default;quota=0;limit=0
host:ip=127.0.0.1;user=default;quota=0;limit=0
There may be an infinite amount of hosts and users (the only limit is the RAM of your computer)
Every line (except the special commands) is structured like type:name=value;name2=value2
type may have one of the following values:
- glob used to read/set global counter values (global quota and limit);
- user list of users.
- Note:
- The user 'default' is created automatically. Dynamically generated hosts are assigned to this user.
- host hostlist
127.0.0.1 is automatically created and represents the local host (due to the fact that the internet ip may change)
Hosts are generated automatically if the dhosts flag is set to 1. If hosts is set to 0, every packet from or to a host that isn't on the list is dropped.
name supports the following values:
- name (type: user)
Every user has got a unique name which has to be specified with this variable.
This variable has to be set for the type user
- ip (type: host)
The single hosts are identified via there ip-address which is set with this variable.
You have to specify this if the type is host
- user (type: host)
Every host has to be assigned to a user. If you create a host without specifying a user, it is set to 'default'. This variable is only supported by the host type
- quota (type: host, user, glob)
Every user and host has got a quota. And there is a global one.
This is the current counter value of the specified host/user (or the global one).
If you write that value to the proc file, it is added to the current value by default.
To prevent this, specify the 'mode' variable.
- limit (type: host, user, glob)
This variable specifies the traffic limit for the user/host or global.
The value of zero means 'unlimited'.
If you want to block specific hosts it's the best idea to set the limit to 1 (1 Byte).
Whenever a packet arrives, the current value plus the packet length are greater than the limit and the packet is dropped.
- mode (type: host,user,glob)
This variable specifies the mode of setting the current quota. The possible values for this variable are add (default), set or sub. add means that the two values are added together, set overwrites the current counter value and sub subtracts the new value from the old one.
Sub has just been added for completeness. I can't imagine any case where this could be useful (tell me if you know better ;-)).
- Warning:
- You cannot pass comments to the module, so remove them (e.g. with sed or grep)
Generated on Wed Sep 13 18:20:14 2006 for nf_quota by
1.4.4