Re: hashlimit not working in iptable chains

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Retesh <retesh.chadha@gmail.com>
Cc: netfilter-request@lists.netfilter.org,
	netfilter-devel@lists.netfilter.org,
	netfilter@lists.netfilter.org
Subject: Re: hashlimit not working in iptable chains
Date: Fri, 01 Dec 2006 17:27:32 +0100	[thread overview]
Message-ID: <457057F4.3050703@trash.net> (raw)
In-Reply-To: <b322db070612010336v62e5f822pf9b6e1397b22b859@mail.gmail.com>

Retesh wrote:
> Hi All
> I am having a scenario where the iptables hashlimit feature is not
> working as expected. Following is the list of IP rules
> 
> INPUT (policy ACCEPT 1342 packets, 488K bytes)
> 1840  755K TEST       all  --  any    any     anywhere             anywhere
> 
> TEST (1 references)
> 0     0 CHAIN2     all  --  any    any     anywhere
> anywhere            set SET2 dst
> 1840  755K CHAIN1     all  --  any    any     anywhere
> anywhere            set SET1 dst
> 
> CHAIN1 (1 references)
> 919  375K ACCEPT     all  --  any    any     anywhere
> anywhere            limit: avg 200/sec burst 10 mode dstip
> 921  380K LOG        all  --  any    any     anywhere
> anywhere            LOG level warning prefix `_SET1'
> 
> CHAIN2 (1 references)
> 0     0 ACCEPT     all  --  any    any     anywhere
> anywhere            limit: avg 50/sec burst 10 mode dstip
> 0     0 LOG        all  --  any    any     anywhere
> anywhere            LOG level warning prefix `_SET2'
> 
> Here, SET1 and SET2 are iphash
> 
> Now after applying the above rules, irrespective of which set (SET1 or
> SET2), I send the packets from I find that the limit that is used is
> 50/s, even though there are different chains for different sets. That
> is packets from SET1  match CHAIN1 but the hashlimit value thats used
> is 50/s.
> So effectively the hashlimit that is set for all the chains is the one
> in the chain that occurs first.
> 
> Am I doing something wrong here, or is this a limitation with hashlimit?


This is a know problem, the limit is a property of the hashlimit table,
not the individual rules. You have to use seperate --hashlimit-name
parameters.

     prev parent reply	other threads:[~2006-12-01 16:27 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-12-01 11:36 hashlimit not working in iptable chains Retesh
2006-12-01 16:27 ` Patrick McHardy [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=457057F4.3050703@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=netfilter-request@lists.netfilter.org \
    --cc=netfilter@lists.netfilter.org \
    --cc=retesh.chadha@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.