All of lore.kernel.org
 help / color / mirror / Atom feed
* Understanding rate limiting
@ 2005-09-13  6:24 venkata subramanian
  2005-09-13  7:19 ` /dev/rob0
  0 siblings, 1 reply; 2+ messages in thread
From: venkata subramanian @ 2005-09-13  6:24 UTC (permalink / raw)
  To: netfilter

I am new to iptables and I find it hard to understand rate limiting. (-m limit)

Just a few questions:
1) It is used for logging as well as not allowing a stream to exceed
its packets/time quota?
2) will all the packets that execeed the given rate be dropped?
(assuming a DROP jump is given)
3) is this a form of bandwidth management ... can i do this to limit
the bandwidth used by members in my organization?
4) how is dstlimit different? (and... quit naive... why is there no srclimit?)

I searched hard... but i have failed to find proper answers for the
above questions....


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Understanding rate limiting
  2005-09-13  6:24 Understanding rate limiting venkata subramanian
@ 2005-09-13  7:19 ` /dev/rob0
  0 siblings, 0 replies; 2+ messages in thread
From: /dev/rob0 @ 2005-09-13  7:19 UTC (permalink / raw)
  To: netfilter

On Tuesday 2005-September-13 01:24, venkata subramanian wrote:
> I am new to iptables and I find it hard to understand rate limiting.
> (-m limit)

Let's call it the "limit match extension". It does not really do rate 
limiting per se.

> 1) It is used for logging as well as not allowing a stream to exceed
> its packets/time quota?

Strictly speaking it can be used to limit anything, not just logging.

> 2) will all the packets that execeed the given rate be dropped?
> (assuming a DROP jump is given)

No, this is wrong. Packets beyond the --limit simply do not match that 
rule. An unmatched packet is evaluated by the next rule, as always, 
until reaching the chain's default policy.

> 3) is this a form of bandwidth management ... can i do this to limit
> the bandwidth used by members in my organization?

I doubt it. There is tc(8) and possibly other better tools for this.

> 4) how is dstlimit different?

dstlimit
       This  module  allows you to limit the packet per second (pps)
       rate on a per destination IP or per destination port base.
       As  opposed  to  the `limit'  match,  every  destination  ip /
       destination port has it's [sic] own limit.

Hey, this is what I should be using for my SSH attack limiting. Thanks!

The difference appear to be with --dstlimit-mode. dstlimit looks more 
complex and more controllable. I would think that by specifying a 
destination in a --limit rule you could accomplish most of what 
dstlimit does? But there too, it's only a limit per rule, whereas 
dstlimit maintains different limits (as per the mode) within the same 
rule.

> (and... quit naive... why is there no srclimit?)

Again, --dstlimit-mode srcip-dstip almost does this. As to why no 
srclimit, I don't know. Perhaps wasn't thought necessary?

> I searched hard... but i have failed to find proper answers for the
> above questions....

Everything I know about netfilter comes from 4 sources:
    1. Rusty's unreliable guides
    2. "man iptables"
    3. practice / experimentation
    4. this mailing list
What I know in particular about --limit came from 2 and 3.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-09-13  7:19 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-13  6:24 Understanding rate limiting venkata subramanian
2005-09-13  7:19 ` /dev/rob0

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.