Match by how many bytes or packets a connection (or one of the two

flows constituting the connection) has transferred so far, or by

average bytes per packet.

.PP

The counters are 64-bit and are thus not expected to overflow ;)

.PP

The primary use is to detect long-lived downloads and mark them to be

scheduled using a lower priority band in traffic control.

.PP

The transferred bytes per connection can also be viewed through

`conntrack \-L` and accessed via ctnetlink.

.PP

NOTE that for connections which have no accounting information, the match will

always return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls

whether \fBnew\fP connections will be byte/packet counted. Existing connection

flows will not be gaining/losing a/the accounting structure when be sysctl flag

is flipped.

.TP

[\fB!\fP] \fB\-\-connbytes\fP \fIfrom\fP[\fB:\fP\fIto\fP]

match packets from a connection whose packets/bytes/average packet

size is more than FROM and less than TO bytes/packets. if TO is

omitted only FROM check is done. "!" is used to match packets not

falling in the range.

.TP

\fB\-\-connbytes\-dir\fP {\fBoriginal\fP|\fBreply\fP|\fBboth\fP}

which packets to consider

.TP

\fB\-\-connbytes\-mode\fP {\fBpackets\fP|\fBbytes\fP|\fBavgpkt\fP}

whether to check the amount of packets, number of bytes transferred or

the average size (in bytes) of all packets received so far. Note that

when "both" is used together with "avgpkt", and data is going (mainly)

only in one direction (for example HTTP), the average packet size will

be about half of the actual data packets.

.TP

Example:

iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both \-\-connbytes\-mode bytes ...