[clug] network quotas

[Kim Holburn]

At 6:59 PM +1000 2003/04/16, Michael Still wrote:
>On Wed, 16 Apr 2003, Kim Holburn wrote:
>
>> I have a linux router and I want to set a network quota on the
>> throughput.  Say 500MB per machine behind the router.
>
>How about an iptables plugin which checks it's little list, and then can
>reject over quota packets?

If you're talking about the quota patch.  I don't think it can do what I want.  It sets an absolute quota (a per router reboot quota), not a per day quota.  maybe the limit match might be better.

There is no way to set an automatic per machine quota if you have a lot of machines but to put a special rule for each machine.  To get to each rule each packet would have to be tested against half the number of hosts on average or I'd have to use a  binary chop for every packet that came in effectively adding between 50 and thousands of tests on each packet.

In my case I'd have to have hundreds maybe thousands of rules all sitting in the kernel using memory.  It would slow down all my network traffic.  It also overloads netfilter iptables.  What I mean is: I am using iptables to filter.  I would also have to use it to do quotas.  I have to put the quota rules on after I have accepted the traffic in the filters.  I don't want to add a packet's traffic to a quota when I will later block that packet.  Then I'd want to somehow save the quota counters somehow between resets of iptables and reboots.  Some of this is possible, some I can't see how to do and I'm not sure it would not run like a dog after all that.  There must be an easier way.

Kim
-- 
--
Kim Holburn 
Network Consultant - Telecommunications Engineering
Research School of Information Sciences and Engineering
Australian National University - Ph: +61 2 61258620 M: +61 0417820641
Email: kim.holburn at anu.edu.au  - PGP Public Key on request

Life is complex - It has real and imaginary parts.
     Andrea Leistra (rec.arts.sf.written.Robert-jordan)