Connbytes iptables match

  • 2.2.2004 Patch for 2.4.24 from Kovarththanan Rajaratnam is here. No time to write long story. Here is content of Readme:

    The connbytes patch adds new match to the iptables. New
    field is added to the conntrack structure so that we can 
    count transfered bytes per connection.
    The counter is limited to value 0xffff0000. Thus it can't
    overflow and also can't measure more than 4GBytes.
    The primary usage is to detect long-lived download connections
    (often HTTP/FTP/SMTP/NNTP or SCP) and mark them to be scheduled
    using lower priority band in Traffic Control.
    I also patched /proc/net/ip_conntrack output so that bytes are
    displayed here too.
    Apply the patches to kernel tree and iptables userspace
    tool tree, recompile and install.
    Example of usage:
     iptables -A INPUT -m connbytes --connbytes 10000:100000 -j DROP
    [!] --connbytes FROM:[TO]
    It will match packets from connection which transfered more
    than FROM and less than TO bytes. If TO is ommited then only
    FROM check is done. "!" is used to select packets not belonging
    to range above.
    And here is download: connbytes-1.0a-patches.tgz. this patch is against 2.4.17 kernel and 1.2.4 iptables userspace tool.

    For 2.4.20 use iptables tool patch from above plus this kernel patch.