From: "Nataniel Klug" <nata@cnett.com.br>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] limit number of connections per ip
Date: Fri, 03 Feb 2006 09:54:08 +0000 [thread overview]
Message-ID: <004c01c628a7$c736e1b0$0e001eac@NATANIEL> (raw)
In-Reply-To: <20060202205801.32822.qmail@web37002.mail.mud.yahoo.com>
So Rasmus,
If I put a limit into TCP connections it will reflect into UDP conections
over the same source IP?
How can I make a limit into TCP connections?
Att,
Nataniel Klug
----- Original Message -----
From: "Rasmus Melgaard" <rme@image.dk>
To: <lartc@mailman.ds9a.nl>
Sent: Thursday, February 02, 2006 7:17 PM
Subject: Re: [LARTC] limit number of connections per ip
> Well, only TCP has connections, UDP has non it is only a stream of
packets.
>
> So for each user (IP) you could make a class for TCP and one for UDP.
>
> IP
> / \
> TCP UDP
>
> The TCP class you already know how to limit, the UDP class I would limit
with
> pfifo with a suitable packet limit setting (in pratice this would lead to
det
> same effect as the TCP conn. limiting). Although not a hard limit.
>
> Extra:
> I would make a seperate high prio class for ICMP to communicate error,
> connection failures back and forth.
>
> NB! P2P normally used TCP (I know the bittorent does)
>
> BR
> Rasmus Melgaard
>
>
>
> On Thursday 02 February 2006 21:58, Jan Tomak wrote:
> > Hello!
> >
> > I've read a lot of mail archives, but can't find solutions for my
> > problem. I have router with about 700 users. I'm using HTB with SFQ leaf
> > qdiscs for every user (client ip). So, different IP can have its own
rate
> > limit. This scheme ir working fine for a long time. But how can I limit
> > number of connections (sessions) from one host? I see from ip_conntrack
> > that some of users have more than 1000 active connections (mostly P2P
udp).
> > As I know there is connlimit patch for iptables, but it capable to limit
> > only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth
> > more fairly, but inside one class. In my case every user have its own
class
> > and I'm not able to control how many connections simultaneously they do
> > implementy ESFQ! Also I don't understand how to deal with it from
iptables
> > side - connlimit will not help with UDP.
> >
> > What can be done in my case?
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
prev parent reply other threads:[~2006-02-03 9:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-02 20:58 [LARTC] limit number of connections per ip Jan Tomak
2006-02-02 21:17 ` Rasmus Melgaard
2006-02-03 9:54 ` Nataniel Klug [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='004c01c628a7$c736e1b0$0e001eac@NATANIEL' \
--to=nata@cnett.com.br \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.