* hashlimit not working in iptable chains
@ 2006-12-01 11:36 Retesh
2006-12-01 16:27 ` Patrick McHardy
0 siblings, 1 reply; 2+ messages in thread
From: Retesh @ 2006-12-01 11:36 UTC (permalink / raw)
To: netfilter-devel, netfilter, netfilter-request
Hi All
I am having a scenario where the iptables hashlimit feature is not
working as expected. Following is the list of IP rules
INPUT (policy ACCEPT 1342 packets, 488K bytes)
1840 755K TEST all -- any any anywhere anywhere
TEST (1 references)
0 0 CHAIN2 all -- any any anywhere
anywhere set SET2 dst
1840 755K CHAIN1 all -- any any anywhere
anywhere set SET1 dst
CHAIN1 (1 references)
919 375K ACCEPT all -- any any anywhere
anywhere limit: avg 200/sec burst 10 mode dstip
921 380K LOG all -- any any anywhere
anywhere LOG level warning prefix `_SET1'
CHAIN2 (1 references)
0 0 ACCEPT all -- any any anywhere
anywhere limit: avg 50/sec burst 10 mode dstip
0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `_SET2'
Here, SET1 and SET2 are iphash
Now after applying the above rules, irrespective of which set (SET1 or
SET2), I send the packets from I find that the limit that is used is
50/s, even though there are different chains for different sets. That
is packets from SET1 match CHAIN1 but the hashlimit value thats used
is 50/s.
So effectively the hashlimit that is set for all the chains is the one
in the chain that occurs first.
Am I doing something wrong here, or is this a limitation with hashlimit?
Thanks in advance
With Regards
Retesh Chadha
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: hashlimit not working in iptable chains
2006-12-01 11:36 hashlimit not working in iptable chains Retesh
@ 2006-12-01 16:27 ` Patrick McHardy
0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2006-12-01 16:27 UTC (permalink / raw)
To: Retesh; +Cc: netfilter-request, netfilter-devel, netfilter
Retesh wrote:
> Hi All
> I am having a scenario where the iptables hashlimit feature is not
> working as expected. Following is the list of IP rules
>
> INPUT (policy ACCEPT 1342 packets, 488K bytes)
> 1840 755K TEST all -- any any anywhere anywhere
>
> TEST (1 references)
> 0 0 CHAIN2 all -- any any anywhere
> anywhere set SET2 dst
> 1840 755K CHAIN1 all -- any any anywhere
> anywhere set SET1 dst
>
> CHAIN1 (1 references)
> 919 375K ACCEPT all -- any any anywhere
> anywhere limit: avg 200/sec burst 10 mode dstip
> 921 380K LOG all -- any any anywhere
> anywhere LOG level warning prefix `_SET1'
>
> CHAIN2 (1 references)
> 0 0 ACCEPT all -- any any anywhere
> anywhere limit: avg 50/sec burst 10 mode dstip
> 0 0 LOG all -- any any anywhere
> anywhere LOG level warning prefix `_SET2'
>
> Here, SET1 and SET2 are iphash
>
> Now after applying the above rules, irrespective of which set (SET1 or
> SET2), I send the packets from I find that the limit that is used is
> 50/s, even though there are different chains for different sets. That
> is packets from SET1 match CHAIN1 but the hashlimit value thats used
> is 50/s.
> So effectively the hashlimit that is set for all the chains is the one
> in the chain that occurs first.
>
> Am I doing something wrong here, or is this a limitation with hashlimit?
This is a know problem, the limit is a property of the hashlimit table,
not the individual rules. You have to use seperate --hashlimit-name
parameters.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-12-01 16:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-12-01 11:36 hashlimit not working in iptable chains Retesh
2006-12-01 16:27 ` Patrick McHardy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox