Re: hashlimit module parameters

Re: hashlimit module parameters

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1121 bytes --]

On Thu, Sep 22, 2005 at 02:14:17PM +0300, Imre Gergely wrote:
> 
> hi
> 
> i was wondering about something. i want to use this hashlimit module,
> and the doc says the --hashlimit parameter is just like the one in the
> limit match, but when i want to do
> 
> /usr/local/iptables-1.3.3-20050921/sbin/iptables -A INPUT -s 1.1.1.1 -m
> hashlimit --hashlimit ! 5/sec --hashlimit-mode srcip --hashlimit-name
> test -j ACCEPT
> 
> it gives me an error:
> 
> iptables v1.3.3-20050921: hashlimit does not support invert
> Try `iptables -h' or 'iptables --help' for more information.
> 
> is there a way to specify an invert to this ?

I don't think so, sorry :(  Seems like I forgot to take care of limit
inversion.  Patches welcome.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: hashlimit module parameters

[Jakub Wartak]

Dnia czwartek, 22 września 2005 23:51, Harald Welte napisał:
> On Thu, Sep 22, 2005 at 02:14:17PM +0300, Imre Gergely wrote:
> > hi
> >
> > i was wondering about something. i want to use this hashlimit module,
> > and the doc says the --hashlimit parameter is just like the one in the
> > limit match, but when i want to do
> >
> > /usr/local/iptables-1.3.3-20050921/sbin/iptables -A INPUT -s 1.1.1.1 -m
> > hashlimit --hashlimit ! 5/sec --hashlimit-mode srcip --hashlimit-name
> > test -j ACCEPT
> >
> > it gives me an error:
> >
> > iptables v1.3.3-20050921: hashlimit does not support invert
> > Try `iptables -h' or 'iptables --help' for more information.
> >
> > is there a way to specify an invert to this ?
>
> I don't think so, sorry :(  Seems like I forgot to take care of limit
> inversion.  Patches welcome.

I resolved it using RETURN target, examples here:
http://vnull.pcnet.com.pl/nf/pomysly_netfilter3.pdf

It is written in polish, but I think that the examples are easy to 
understand :)

-- 
Jakub Wartak
-vnull
FreeBSD/OpenBSD/Linux/Solaris/Network Administrator
http://vnull.pcnet.com.pl/

Re: hashlimit module parameters

[Imre Gergely]

hi

how does this hashlimit behave above rate 5000/sec ? and how it is
supposed to behave? i tried something like this:

iptables -A limit_udp -p udp -m hashlimit --hashlimit 5000/sec
--hashlimit-mode dstip --hashlimit-name limit_udp -j RETURN;

iptables -A limit_udp -p udp -m limit --limit 1/sec -j LOG
--log-prefix='limit_udp: '

i have some dstip to with traffic is around 500pps, but it still appears
in the logs, that means the second rule matches, while it shouldn't
according to hashlimit 5000/sec.

and another thing. if i try with a rate above 5000 (say 6k, 8k) it
always puts 10k in. why is that?
thx.

config: iptables-1.3.2, kernel 2.6.13, dual Intel Xeon CPU 2.40GHz

(pls reply in private too.)

Harald Welte wrote:
> On Thu, Sep 22, 2005 at 02:14:17PM +0300, Imre Gergely wrote:
> 
>>hi
>>
>>i was wondering about something. i want to use this hashlimit module,
>>and the doc says the --hashlimit parameter is just like the one in the
>>limit match, but when i want to do
>>
>>/usr/local/iptables-1.3.3-20050921/sbin/iptables -A INPUT -s 1.1.1.1 -m
>>hashlimit --hashlimit ! 5/sec --hashlimit-mode srcip --hashlimit-name
>>test -j ACCEPT
>>
>>it gives me an error:
>>
>>iptables v1.3.3-20050921: hashlimit does not support invert
>>Try `iptables -h' or 'iptables --help' for more information.
>>
>>is there a way to specify an invert to this ?
> 
> 
> I don't think so, sorry :(  Seems like I forgot to take care of limit
> inversion.  Patches welcome.
>