From: fuzzy_4711 <fuzzy_4711@gmx.de>
To: abirvalg@lavabit.com
Cc: netfilter@vger.kernel.org
Subject: Re: limit module timer precision issue
Date: Thu, 13 Oct 2011 21:59:15 +0200 [thread overview]
Message-ID: <4E974313.9080508@gmx.de> (raw)
In-Reply-To: <20111013014310.4369d65e@wwwwww-701SD>
-------- Original - Text --------
> Hi, it seems to me that limit module has issues with timer precision.
> The only iptables rules i have are:
>
> iptables -I OUTPUT 1 -m state --state NEW -m limit --limit 2000/sec --limit-burst 1 -j NFQUEUE --queue-num 11220
> iptables -I OUTPUT 2 -m state --state NEW -j NFQUEUE --queue-num 11222
>
> iptables -I INPUT 1 -m state --state NEW -m limit --limit 2000/sec --limit-burst 1 -j NFQUEUE --queue-num 11221
> iptables -I INPUT 2 -m state --state NEW -j NFQUEUE --queue-num 11222
>
> (Both NFQUEUE 11220 and 11221 pass only NF_ACCEPT or NF_DROP verdicts.)
>
> If I understand -m limit correctly, only if there is more than 2000 NEW connections going in or out, NFQUEUE 11222 will trigger.
Are you sure? Couldn't it be that it triggers every time your *average*
(--limit 2000/second) of newly initiated connections is in the range of
up to 2000 per second based on the calculation that only 1 single packet
(--limit-burst 1) will make it through?
Take a look here and you will understand the dependencies between
--limit and --limit-burst since it is not intuitive at all:
http://www.josefassad.com/iptables_rate_limit_module
> When I seed a torrent, I hardly get 30 NEW connections per second and yet NFQUEUE 11222 triggers every now and then. I tried to lower the bar to --limit 100/sec and it still triggers ocasionally.
> The way that I know that it triggers is that my app uses libnetfilter_queue and printf()s whenever it gets triggered, also watching
> /proc/net/netfilter/nfnetlink_queue shows a steady growth for NFQ11222 in the column next to the last.
>
> My hunch is that -m limit can't deal with such high precision timing. Could somebody please comment?
>
--
Have a nice day.
-fuz
prev parent reply other threads:[~2011-10-13 19:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-13 1:43 limit module timer precision issue abirvalg
2011-10-12 22:57 ` Jan Engelhardt
2011-10-13 7:10 ` Michal Kubeček
2011-10-13 10:15 ` Jan Engelhardt
2011-10-13 11:23 ` Michal Kubeček
2011-10-13 12:32 ` Jan Engelhardt
2011-10-13 13:08 ` Michal Kubeček
2011-10-13 19:59 ` fuzzy_4711 [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E974313.9080508@gmx.de \
--to=fuzzy_4711@gmx.de \
--cc=abirvalg@lavabit.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox