limit module

Linux Netfilter discussions
 help / color / mirror / Atom feed

* limit module
@ 2008-01-30 16:13 Alexey Vlasov
  2008-01-30 18:02 ` Grant Taylor
  0 siblings, 1 reply; 2+ messages in thread
From: Alexey Vlasov @ 2008-01-30 16:13 UTC (permalink / raw)
  To: netfilter

Hello!

There's some mess in figures:

# iptables -A INPUT -p tcp -s 111.222.111.222 --syn -m limit --limit 1/s
--limit-burst 50 -j ACCEPT
# iptables -A INPUT -p tcp -s 111.222.111.222 --syn -m limit
--limit-burst 1000 -j LOG

Do I understand right that according to the first rule through it can
pass only 50 SYN packets per second. If I am right, then it can be
checked like this: I launch 50 times all at once "telnet dst_host 80" and
look at the counter:

50  2600 ACCEPT
0     0 LOG

Launch 50 times telnet again:

66  3432 ACCEPT
34  1768 LOG

Here goes that 50 packets came, but why only 16 came through the first
rule?

-- 
BRGDS. Alexey Vlasov.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: limit module
  2008-01-30 16:13 limit module Alexey Vlasov
@ 2008-01-30 18:02 ` Grant Taylor
  0 siblings, 0 replies; 2+ messages in thread
From: Grant Taylor @ 2008-01-30 18:02 UTC (permalink / raw)
  To: Mail List - Netfilter

On 01/30/08 10:13, Alexey Vlasov wrote:
> # iptables -A INPUT -p tcp -s 111.222.111.222 --syn -m limit --limit 1/s
> --limit-burst 50 -j ACCEPT
> # iptables -A INPUT -p tcp -s 111.222.111.222 --syn -m limit
> --limit-burst 1000 -j LOG
> 
> Do I understand right that according to the first rule through it can
> pass only 50 SYN packets per second. If I am right, then it can be
> checked like this: I launch 50 times all at once "telnet dst_host 80" and
> look at the counter:

It is my (mis)understanding that the limit match extension will allow 
the rate of packets specified with a possible burst of what ever is left 
over out of the burst buffer (if you will).  If there are no packets 
matching the rule, they number of packets that did not come through goes 
in to the burst buffer up to the point the burst buffer is full.

Think of it this way:  You have a bucket that burst buffer in size that 
is filled at limit speed.  You can take packets out of the bucket as 
fast as possible (burst) up to the point that there are no more packets 
in the bucket.  Once the bucket is empty, you can only take the packets 
out of the bucket as fast as they are replenished, thus the limit speed.

The burst is intended to allow short infrequent requests to pass as fast 
as possible up to the limit of a grace (burst).  Once the grace (burst) 
is exceeded, start rate limiting the requests.

> Here goes that 50 packets came, but why only 16 came through the first
> rule?

With out knowing the timing on your tests (down to the millisecond) I 
can only guess.  I'd say that your tests were off based on timing 
between multiple runs.  Had you said X number of packets per minute you 
may be able to get a more accurate test.

Grant. . . .

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2008-01-30 18:02 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-01-30 16:13 limit module Alexey Vlasov
2008-01-30 18:02 ` Grant Taylor

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox