From: Jan Engelhardt <jengelh@medozas.de>
To: kaber@trash.net
Cc: netfilter-devel@vger.kernel.org
Subject: [PATCH 07/24] doc: add some coded option examples to libxt_hashlimit
Date: Wed, 25 May 2011 01:08:08 +0200 [thread overview]
Message-ID: <1306278506-11463-8-git-send-email-jengelh@medozas.de> (raw)
In-Reply-To: <1306278506-11463-1-git-send-email-jengelh@medozas.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libxt_hashlimit.man | 26 ++++++++++++++++----------
1 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man
index e91d0c6..f90577e 100644
--- a/extensions/libxt_hashlimit.man
+++ b/extensions/libxt_hashlimit.man
@@ -2,16 +2,7 @@
\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables
rule. Grouping can be done per-hostgroup (source and/or destination address)
and/or per-port. It gives you the ability to express "\fIN\fP packets per time
-quantum per group":
-.TP
-matching on source host
-"1000 packets per second for every host in 192.168.0.0/16"
-.TP
-matching on source port
-"100 packets per second for every service of 192.168.1.1"
-.TP
-matching on subnet
-"10000 packets per minute for every /28 subnet in 10.0.0.0/8"
+quantum per group" (see below for some examples).
.PP
A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and
\fB\-\-hashlimit\-name\fP are required.
@@ -57,3 +48,18 @@ After how many milliseconds do hash entries expire.
.TP
\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP
How many milliseconds between garbage collection intervals.
+.PP
+Examples:
+.TP
+matching on source host
+"1000 packets per second for every host in 192.168.0.0/16" =>
+\-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec
+.TP
+matching on source port
+"100 packets per second for every service of 192.168.1.1" =>
+\-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec
+.TP
+matching on subnet
+"10000 packets per minute for every /28 subnet (groups of 8 addresses)
+in 10.0.0.0/8" =>
+\-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min
--
1.7.3.4
next prev parent reply other threads:[~2011-05-24 23:08 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-24 23:08 Doc/Option parser fixes Jan Engelhardt
2011-05-24 23:08 ` [PATCH 01/24] libxtables: retract _NE types and use a flag instead Jan Engelhardt
2011-05-24 23:08 ` [PATCH 02/24] libipt_REDIRECT: "--to-ports" is not mandatory Jan Engelhardt
2011-05-24 23:08 ` [PATCH 03/24] libxt_quota: readd missing XTOPT_PUT request Jan Engelhardt
2011-05-24 23:08 ` [PATCH 04/24] libxt_quota: make sure uint64 is not truncated Jan Engelhardt
2011-05-24 23:08 ` [PATCH 05/24] libxtables: check for negative numbers in xtables_strtou* Jan Engelhardt
2011-05-24 23:08 ` [PATCH 06/24] libxt_rateest: streamline case display of units Jan Engelhardt
2011-05-24 23:08 ` Jan Engelhardt [this message]
2011-05-24 23:08 ` [PATCH 08/24] doc: make usage of libxt_rateest more obvious Jan Engelhardt
2011-05-24 23:08 ` [PATCH 09/24] doc: clarify that -p all is a special keyword only Jan Engelhardt
2011-05-24 23:08 ` [PATCH 10/24] doc: use .IP list for TCPMSS Jan Engelhardt
2011-05-24 23:08 ` [PATCH 11/24] doc: remove redundant .IP calls in libxt_time Jan Engelhardt
2011-05-24 23:08 ` [PATCH 12/24] libxt_ipvs: restore network-byte order Jan Engelhardt
2011-05-25 0:31 ` Simon Horman
2011-05-24 23:08 ` [PATCH 13/24] libxt_u32: --u32 option is required Jan Engelhardt
2011-05-24 23:08 ` [PATCH 14/24] libip6t_rt: restore --rt-type storing Jan Engelhardt
2011-05-24 23:08 ` [PATCH 15/24] libxtables: more detailed error message on multi-int parsing Jan Engelhardt
2011-05-24 23:08 ` [PATCH 16/24] libxtables: use uintmax for xtables_strtoul Jan Engelhardt
2011-05-24 23:08 ` [PATCH 17/24] libxtables: make multiint parser have greater range Jan Engelhardt
2011-05-24 23:08 ` [PATCH 18/24] libxtables: unclutter xtopt_parse_mint Jan Engelhardt
2011-05-24 23:08 ` [PATCH 19/24] libxtables: have xtopt_parse_mint interpret partially-spec'd ranges Jan Engelhardt
2011-05-24 23:08 ` [PATCH 20/24] libxt_NFQUEUE: avoid double attempt at parsing Jan Engelhardt
2011-05-24 23:08 ` [PATCH 21/24] libxt_NFQUEUE: add mutual exclusion between qnum and qbal Jan Engelhardt
2011-05-24 23:08 ` [PATCH 22/24] libxt_time: always ignore libc timezone Jan Engelhardt
2011-05-24 23:08 ` [PATCH 23/24] libxt_time: --utc and --localtz are mutually exclusive Jan Engelhardt
2011-05-24 23:08 ` [PATCH 24/24] libxt_time: deprecate --localtz option, document kernel TZ caveats Jan Engelhardt
2011-05-25 3:35 ` Doc/Option parser fixes Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1306278506-11463-8-git-send-email-jengelh@medozas.de \
--to=jengelh@medozas.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).