Are limit and hashlimit "limited"?

Are limit and hashlimit "limited"?

[Klaubert Herr da Silveira]

Hi,

I'm playing with match modules limit and hashlimit, and they appear to
be limited to match a maximun 100/sec. If I use hashlimit with no
"--hashlimit-mode" I get the same, a max of 100/sec, even if I set for
exemple to 250/sec. My command setting the 250/sec is accepted, with
no error, but test show only 100 match/sec.

Is this a hard limit of this modules, or I can go above this in some way?

Best regards,

Klaubert

Re: Are limit and hashlimit "limited"?

[Payam Chychi]

limit and hashlimit have never worked properly, one reason being the system bus speed.

playing around with values i was able to account for 100,000 packets/sec but that is the max

Sent from my iPhone

On 2012-05-14, at 3:30 PM, Klaubert Herr da Silveira <klaubert@gmail.com> wrote:

> Hi,
> 
> I'm playing with match modules limit and hashlimit, and they appear to
> be limited to match a maximun 100/sec. If I use hashlimit with no
> "--hashlimit-mode" I get the same, a max of 100/sec, even if I set for
> exemple to 250/sec. My command setting the 250/sec is accepted, with
> no error, but test show only 100 match/sec.
> 
> Is this a hard limit of this modules, or I can go above this in some way?
> 
> Best regards,
> 
> Klaubert
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Are limit and hashlimit "limited"?

[Jan Engelhardt]

On Tuesday 2012-05-15 00:45, Payam Chychi wrote:

>limit and hashlimit have never worked properly, one reason being the 
>system bus speed.

Can you actually *back up that statement*?

Re: Are limit and hashlimit "limited"?

[Payam Chychi]

its well documented and initially came to my attention about 3 years 
ago. A few people even wrote papers on it and the testing they performed 
and their findings.

Its been a while so perhaps a google search and a bit of reading might 
be required but it is most def a known issue

-Payam



On 12-05-14 3:53 PM, Jan Engelhardt wrote:
> On Tuesday 2012-05-15 00:45, Payam Chychi wrote:
>
>> limit and hashlimit have never worked properly, one reason being the
>> system bus speed.
> Can you actually *back up that statement*?

Re: Are limit and hashlimit "limited"?

[Payam Chychi]

just found it...

my initial question back in 2008: 
http://comments.gmane.org/gmane.comp.security.firewalls.netfilter.general/35045
white paper on the issue: 
http://people.netfilter.org/acidfu/papers/limit-tbf-analysis.pdf

Cheers
-Payam



On 12-05-14 3:53 PM, Jan Engelhardt wrote:
> On Tuesday 2012-05-15 00:45, Payam Chychi wrote:
>
>> limit and hashlimit have never worked properly, one reason being the
>> system bus speed.
> Can you actually *back up that statement*?

Re: Are limit and hashlimit "limited"?

[Jan Engelhardt]

On Tuesday 2012-05-15 01:01, Payam Chychi wrote:
> On 12-05-14 3:53 PM, Jan Engelhardt wrote:
>> On Tuesday 2012-05-15 00:45, Payam Chychi wrote:
>>
>>> limit and hashlimit have never worked properly, one reason being the
>>> system bus speed.
>>
>> Can you actually *back up that statement*?
>
> white paper on the issue:
> http://people.netfilter.org/acidfu/papers/limit-tbf-analysis.pdf

The math issues are knwon yes; the question was related to that
ominous "system bus" of yours. (FSB? D-BUS?)

Re: Are limit and hashlimit "limited"?

[Jan Engelhardt]

On Tuesday 2012-05-15 00:45, Payam Chychi wrote:

>> I'm playing with match modules limit and hashlimit, and they appear to
>> be limited to match a maximun 100/sec. If I use hashlimit with no
>> "--hashlimit-mode" I get the same, a max of 100/sec, even if I set for
>> exemple to 250/sec. My command setting the 250/sec is accepted, with
>> no error, but test show only 100 match/sec.
>> 
>> Is this a hard limit of this modules, or I can go above this in some way?
>
>limit and hashlimit have never worked properly

Best is to collect packets using -j RATEEST and then matching
against it with -m rateest.

Re: Are limit and hashlimit "limited"?

[Klaubert Herr da Silveira]

So,

I have learned alot in this topic, thank to all that answered. And if
I understand correctly, beside the error in overflow handling
mentioned in the Nicolas's paper, we only get a high accuracy with
limit or hashlimit if HZ be very high, to avoid the colision on
concurrent packets arriving in the same slice of 10ms, 4ms or 1ms, but
changing the HZ can be some side effects.

So, can be useful to submit the Nicolas's patch again :)

In this meantime, I'll try rateest and find out how it can fit my needs.

Thanks,

Klaubert

On Mon, May 14, 2012 at 10:34 PM, Jan Engelhardt <jengelh@inai.de> wrote:
> On Tuesday 2012-05-15 00:45, Payam Chychi wrote:
>
>>> I'm playing with match modules limit and hashlimit, and they appear to
>>> be limited to match a maximun 100/sec. If I use hashlimit with no
>>> "--hashlimit-mode" I get the same, a max of 100/sec, even if I set for
>>> exemple to 250/sec. My command setting the 250/sec is accepted, with
>>> no error, but test show only 100 match/sec.
>>>
>>> Is this a hard limit of this modules, or I can go above this in some way?
>>
>>limit and hashlimit have never worked properly
>
> Best is to collect packets using -j RATEEST and then matching
> against it with -m rateest.