From: Brian Schang <netfilter@lists.schang.net>
To: netfilter@vger.kernel.org
Subject: hashlimit not working as expected
Date: Sun, 14 Feb 2010 23:45:34 -0500 [thread overview]
Message-ID: <4B78D16E.7010101@lists.schang.net> (raw)
Hello:
I have the following rule in my iptables setup:
-A LogLimit -m hashlimit --hashlimit 1/hour --hashlimit-burst 1
--hashlimit-name loglimit --hashlimit-mode srcip -j LOG --log-level 6
--log-prefix "LogLimit:1:LOG "
My goal is to log connections to an incoming port, but restrict the
logging to one entry per IP address per hour. But instead, I get log
entries from the same IP address as close together as 10 seconds.
I have looked at /proc/net/ipt_hashlimit/loglimit and see contents in
that file, but the contents only last for ten seconds and then the file
is cleared (or the corresponding entry is removed):
Sun Feb 14 23:40:21 EST 2010
9 65.55.158.80:0->0.0.0.0:0 21632 115200000 115200000
9 91.113.8.223:0->0.0.0.0:0 23936 115200000 115200000
Sun Feb 14 23:40:22 EST 2010
9 65.55.158.80:0->0.0.0.0:0 53760 115200000 115200000
8 91.113.8.223:0->0.0.0.0:0 56064 115200000 115200000
Sun Feb 14 23:40:23 EST 2010
8 65.55.158.80:0->0.0.0.0:0 86016 115200000 115200000
7 91.113.8.223:0->0.0.0.0:0 88320 115200000 115200000
Sun Feb 14 23:40:24 EST 2010
9 65.55.158.80:0->0.0.0.0:0 118144 115200000 115200000
6 91.113.8.223:0->0.0.0.0:0 120448 115200000 115200000
Sun Feb 14 23:40:25 EST 2010
8 65.55.158.80:0->0.0.0.0:0 150272 115200000 115200000
5 91.113.8.223:0->0.0.0.0:0 152576 115200000 115200000
Sun Feb 14 23:40:26 EST 2010
7 65.55.158.80:0->0.0.0.0:0 182400 115200000 115200000
4 91.113.8.223:0->0.0.0.0:0 184704 115200000 115200000
Sun Feb 14 23:40:27 EST 2010
6 65.55.158.80:0->0.0.0.0:0 214656 115200000 115200000
3 91.113.8.223:0->0.0.0.0:0 216960 115200000 115200000
Sun Feb 14 23:40:28 EST 2010
5 65.55.158.80:0->0.0.0.0:0 246784 115200000 115200000
2 91.113.8.223:0->0.0.0.0:0 249088 115200000 115200000
Sun Feb 14 23:40:29 EST 2010
4 65.55.158.80:0->0.0.0.0:0 278912 115200000 115200000
1 91.113.8.223:0->0.0.0.0:0 281216 115200000 115200000
Sun Feb 14 23:40:30 EST 2010
9 65.55.158.80:0->0.0.0.0:0 311040 115200000 115200000
9 91.113.8.223:0->0.0.0.0:0 313344 115200000 115200000
Sun Feb 14 23:40:31 EST 2010
9 65.55.158.80:0->0.0.0.0:0 343168 115200000 115200000
9 91.113.8.223:0->0.0.0.0:0 345472 115200000 115200000
Sun Feb 14 23:40:32 EST 2010
8 65.55.158.80:0->0.0.0.0:0 375424 115200000 115200000
8 91.113.8.223:0->0.0.0.0:0 377728 115200000 115200000
Sun Feb 14 23:40:33 EST 2010
9 65.55.158.80:0->0.0.0.0:0 408960 115200000 115200000
7 91.113.8.223:0->0.0.0.0:0 411264 115200000 115200000
Sun Feb 14 23:40:34 EST 2010
8 65.55.158.80:0->0.0.0.0:0 441088 115200000 115200000
6 91.113.8.223:0->0.0.0.0:0 443392 115200000 115200000
Sun Feb 14 23:40:35 EST 2010
7 65.55.158.80:0->0.0.0.0:0 473344 115200000 115200000
5 91.113.8.223:0->0.0.0.0:0 475648 115200000 115200000
Sun Feb 14 23:40:36 EST 2010
6 65.55.158.80:0->0.0.0.0:0 505472 115200000 115200000
4 91.113.8.223:0->0.0.0.0:0 507776 115200000 115200000
Sun Feb 14 23:40:37 EST 2010
5 65.55.158.80:0->0.0.0.0:0 537600 115200000 115200000
3 91.113.8.223:0->0.0.0.0:0 539904 115200000 115200000
Sun Feb 14 23:40:38 EST 2010
4 65.55.158.80:0->0.0.0.0:0 569728 115200000 115200000
2 91.113.8.223:0->0.0.0.0:0 572032 115200000 115200000
Sun Feb 14 23:40:39 EST 2010
3 65.55.158.80:0->0.0.0.0:0 601856 115200000 115200000
1 91.113.8.223:0->0.0.0.0:0 604160 115200000 115200000
Sun Feb 14 23:40:40 EST 2010
2 65.55.158.80:0->0.0.0.0:0 633984 115200000 115200000
0 91.113.8.223:0->0.0.0.0:0 636288 115200000 115200000
Sun Feb 14 23:40:41 EST 2010
1 65.55.158.80:0->0.0.0.0:0 666240 115200000 115200000
Sun Feb 14 23:40:42 EST 2010
0 65.55.158.80:0->0.0.0.0:0 698368 115200000 115200000
Sun Feb 14 23:40:43 EST 2010
My amateur conclusion is that the 'hashlimit' match is only doing
limiting for 10 seconds -- (1) consistent with the duration I see an IP
in the ipt_hashlimit directory; and (2) consistent with the fact that I
have seen log entries from the same IP 11 seconds apart.
Am I understanding this correctly? Any suggestions?
Thank you.
--
Brian Schang
reply other threads:[~2010-02-15 4:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B78D16E.7010101@lists.schang.net \
--to=netfilter@lists.schang.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.