Re: hashlimit not working in iptable chains

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Retesh <retesh.chadha@gmail.com>
Cc: netfilter-request@lists.netfilter.org,
	netfilter-devel@lists.netfilter.org,
	netfilter@lists.netfilter.org
Subject: Re: hashlimit not working in iptable chains
Date: Fri, 01 Dec 2006 17:27:32 +0100	[thread overview]
Message-ID: <457057F4.3050703@trash.net> (raw)
In-Reply-To: <b322db070612010336v62e5f822pf9b6e1397b22b859@mail.gmail.com>

Retesh wrote:
> Hi All
> I am having a scenario where the iptables hashlimit feature is not
> working as expected. Following is the list of IP rules
> 
> INPUT (policy ACCEPT 1342 packets, 488K bytes)
> 1840  755K TEST       all  --  any    any     anywhere             anywhere
> 
> TEST (1 references)
> 0     0 CHAIN2     all  --  any    any     anywhere
> anywhere            set SET2 dst
> 1840  755K CHAIN1     all  --  any    any     anywhere
> anywhere            set SET1 dst
> 
> CHAIN1 (1 references)
> 919  375K ACCEPT     all  --  any    any     anywhere
> anywhere            limit: avg 200/sec burst 10 mode dstip
> 921  380K LOG        all  --  any    any     anywhere
> anywhere            LOG level warning prefix `_SET1'
> 
> CHAIN2 (1 references)
> 0     0 ACCEPT     all  --  any    any     anywhere
> anywhere            limit: avg 50/sec burst 10 mode dstip
> 0     0 LOG        all  --  any    any     anywhere
> anywhere            LOG level warning prefix `_SET2'
> 
> Here, SET1 and SET2 are iphash
> 
> Now after applying the above rules, irrespective of which set (SET1 or
> SET2), I send the packets from I find that the limit that is used is
> 50/s, even though there are different chains for different sets. That
> is packets from SET1  match CHAIN1 but the hashlimit value thats used
> is 50/s.
> So effectively the hashlimit that is set for all the chains is the one
> in the chain that occurs first.
> 
> Am I doing something wrong here, or is this a limitation with hashlimit?


This is a know problem, the limit is a property of the hashlimit table,
not the individual rules. You have to use seperate --hashlimit-name
parameters.

     prev parent reply	other threads:[~2006-12-01 16:27 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-12-01 11:36 hashlimit not working in iptable chains Retesh
2006-12-01 16:27 ` Patrick McHardy [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=457057F4.3050703@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=netfilter-request@lists.netfilter.org \
    --cc=netfilter@lists.netfilter.org \
    --cc=retesh.chadha@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox