* limit module
@ 2008-01-30 16:13 Alexey Vlasov
2008-01-30 18:02 ` Grant Taylor
0 siblings, 1 reply; 2+ messages in thread
From: Alexey Vlasov @ 2008-01-30 16:13 UTC (permalink / raw)
To: netfilter
Hello!
There's some mess in figures:
# iptables -A INPUT -p tcp -s 111.222.111.222 --syn -m limit --limit 1/s
--limit-burst 50 -j ACCEPT
# iptables -A INPUT -p tcp -s 111.222.111.222 --syn -m limit
--limit-burst 1000 -j LOG
Do I understand right that according to the first rule through it can
pass only 50 SYN packets per second. If I am right, then it can be
checked like this: I launch 50 times all at once "telnet dst_host 80" and
look at the counter:
50 2600 ACCEPT
0 0 LOG
Launch 50 times telnet again:
66 3432 ACCEPT
34 1768 LOG
Here goes that 50 packets came, but why only 16 came through the first
rule?
--
BRGDS. Alexey Vlasov.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: limit module
2008-01-30 16:13 limit module Alexey Vlasov
@ 2008-01-30 18:02 ` Grant Taylor
0 siblings, 0 replies; 2+ messages in thread
From: Grant Taylor @ 2008-01-30 18:02 UTC (permalink / raw)
To: Mail List - Netfilter
On 01/30/08 10:13, Alexey Vlasov wrote:
> # iptables -A INPUT -p tcp -s 111.222.111.222 --syn -m limit --limit 1/s
> --limit-burst 50 -j ACCEPT
> # iptables -A INPUT -p tcp -s 111.222.111.222 --syn -m limit
> --limit-burst 1000 -j LOG
>
> Do I understand right that according to the first rule through it can
> pass only 50 SYN packets per second. If I am right, then it can be
> checked like this: I launch 50 times all at once "telnet dst_host 80" and
> look at the counter:
It is my (mis)understanding that the limit match extension will allow
the rate of packets specified with a possible burst of what ever is left
over out of the burst buffer (if you will). If there are no packets
matching the rule, they number of packets that did not come through goes
in to the burst buffer up to the point the burst buffer is full.
Think of it this way: You have a bucket that burst buffer in size that
is filled at limit speed. You can take packets out of the bucket as
fast as possible (burst) up to the point that there are no more packets
in the bucket. Once the bucket is empty, you can only take the packets
out of the bucket as fast as they are replenished, thus the limit speed.
The burst is intended to allow short infrequent requests to pass as fast
as possible up to the limit of a grace (burst). Once the grace (burst)
is exceeded, start rate limiting the requests.
> Here goes that 50 packets came, but why only 16 came through the first
> rule?
With out knowing the timing on your tests (down to the millisecond) I
can only guess. I'd say that your tests were off based on timing
between multiple runs. Had you said X number of packets per minute you
may be able to get a more accurate test.
Grant. . . .
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-01-30 18:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-01-30 16:13 limit module Alexey Vlasov
2008-01-30 18:02 ` Grant Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox