The connbytes patch adds new match to the iptables. New field is added to the conntrack structure so that we can count transfered bytes per connection. The counter is limited to value 0xffff0000. Thus it can't overflow and also can't measure more than 4GBytes. The primary usage is to detect long-lived download connections (often HTTP/FTP/SMTP/NNTP or SCP) and mark them to be scheduled using lower priority band in Traffic Control. I also patched /proc/net/ip_conntrack output so that bytes are displayed here too. Apply the patches to kernel tree and iptables userspace tool tree, recompile and install. Example of usage: iptables -A INPUT -m connbytes --connbytes 10000:100000 -j DROP Syntax: [!] --connbytes FROM:[TO] It will match packets from connection which transfered more than FROM and less than TO bytes. If TO is ommited then only FROM check is done. "!" is used to select packets not belonging to range above. firstname.lastname@example.orgAnd here is download: connbytes-1.0a-patches.tgz. this patch is against 2.4.17 kernel and 1.2.4 iptables userspace tool.
For 2.4.20 use iptables tool patch from above plus this kernel patch.