1Match by how many bytes or packets a connection (or one of the two 2flows constituting the connection) has transferred so far, or by 3average bytes per packet. 4.PP 5The counters are 64-bit and are thus not expected to overflow ;) 6.PP 7The primary use is to detect long-lived downloads and mark them to be 8scheduled using a lower priority band in traffic control. 9.PP 10The transferred bytes per connection can also be viewed through 11`conntrack \-L` and accessed via ctnetlink. 12.PP 13NOTE that for connections which have no accounting information, the match will 14always return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls 15whether \fBnew\fP connections will be byte/packet counted. Existing connection 16flows will not be gaining/losing a/the accounting structure when be sysctl flag 17is flipped. 18.TP 19[\fB!\fP] \fB\-\-connbytes\fP \fIfrom\fP[\fB:\fP\fIto\fP] 20match packets from a connection whose packets/bytes/average packet 21size is more than FROM and less than TO bytes/packets. if TO is 22omitted only FROM check is done. "!" is used to match packets not 23falling in the range. 24.TP 25\fB\-\-connbytes\-dir\fP {\fBoriginal\fP|\fBreply\fP|\fBboth\fP} 26which packets to consider 27.TP 28\fB\-\-connbytes\-mode\fP {\fBpackets\fP|\fBbytes\fP|\fBavgpkt\fP} 29whether to check the amount of packets, number of bytes transferred or 30the average size (in bytes) of all packets received so far. Note that 31when "both" is used together with "avgpkt", and data is going (mainly) 32only in one direction (for example HTTP), the average packet size will 33be about half of the actual data packets. 34.TP 35Example: 36iptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both \-\-connbytes\-mode bytes ... 37