filter for files > 512K

inibir · May 8, 2011, 4:38pm

how can filtering files bigger 512K for stored in cache

i did

/ip firewall nat add action=redirect to-port=8080 connection-bytes=512000-1000000000 chain=dtsnat protocol=tcp dst-port=80

but it is not work

any idea ???

fewi · May 8, 2011, 5:02pm

That is logically impossible. NAT only happens on the first packet of a connection and is them repeated for all subsequent packets. It is impossible to know at that point how many bytes will flow through that connection. You cannot make a NAT decision later on, that simply isn’t how TCP/IP works.

inibir · May 8, 2011, 6:10pm

is there another way to know how many bytes take the download

i know that header contain the size of file, can i give the information and compare if it is bigger than 512K

fewi · May 8, 2011, 7:17pm

Any HTTP header is after the TCP handshake, the initial SYN of the handshake is the first packet of the connection. Any NAT decision must be made with that packet and if contains no reference to how many bytes the connection will transfer. Only an application layer gateway (a proxy) could determine this and you’d have to push all HTTP connections through that proxy. And the built in proxy has no functionality for this so it would have to be a proxy outside the router.

inibir · August 21, 2011, 4:20am

ip firewall layer7 add name="size" regexp="Content-Length: [0-9]{6}"

this code is for files >= 1MB

fewi · August 21, 2011, 4:50am

You still can’t NAT anymore once the HTTP connection has gotten to a point where that string would show up. You either NAT an HTTP connection on the first packet (TCP/SYN), or not at all. That’s just how it works.

syadnom · September 22, 2011, 4:13am

fewi, I don’t think he really cares about NAT, just wants to block the large files.

The L7 filter should generally work, assuming the remote server sends the Content-Length tag. Some files (the ones that download without showing file size) will get through this filter.

fewi · September 22, 2011, 4:18am

Maybe I did understand the question wrong. I thought he doesn’t want to proxy large file transfers, using a transparent proxies. Transparent proxies work via NAT. You can’t do L7 filters on HTTP downloads until the HTTP header shows up, which is at the earliest in packet number 4. At that point you can’t NAT anymore, and thus can’t transparently proxy anymore at all. Or stop transparently proxying, for that matter, because you’re locked into whatever you did to the first packet.

If you’re right and he wants to just prevent all large downloads completely then yeah, waiting for the content header or just dropping based on connection-bytes you can kill all large downloads.

I’d be irate as a customer, though. Sometimes I want to download large files. Prevent that and you’ll stop getting money from me pretty damn quick.