* Are limit and hashlimit "limited"? @ 2012-05-14 22:30 Klaubert Herr da Silveira 2012-05-14 22:45 ` Payam Chychi 0 siblings, 1 reply; 8+ messages in thread From: Klaubert Herr da Silveira @ 2012-05-14 22:30 UTC (permalink / raw) To: netfilter Hi, I'm playing with match modules limit and hashlimit, and they appear to be limited to match a maximun 100/sec. If I use hashlimit with no "--hashlimit-mode" I get the same, a max of 100/sec, even if I set for exemple to 250/sec. My command setting the 250/sec is accepted, with no error, but test show only 100 match/sec. Is this a hard limit of this modules, or I can go above this in some way? Best regards, Klaubert ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Are limit and hashlimit "limited"? 2012-05-14 22:30 Are limit and hashlimit "limited"? Klaubert Herr da Silveira @ 2012-05-14 22:45 ` Payam Chychi 2012-05-14 22:53 ` Jan Engelhardt 2012-05-15 1:34 ` Jan Engelhardt 0 siblings, 2 replies; 8+ messages in thread From: Payam Chychi @ 2012-05-14 22:45 UTC (permalink / raw) To: Klaubert Herr da Silveira; +Cc: netfilter@vger.kernel.org limit and hashlimit have never worked properly, one reason being the system bus speed. playing around with values i was able to account for 100,000 packets/sec but that is the max Sent from my iPhone On 2012-05-14, at 3:30 PM, Klaubert Herr da Silveira <klaubert@gmail.com> wrote: > Hi, > > I'm playing with match modules limit and hashlimit, and they appear to > be limited to match a maximun 100/sec. If I use hashlimit with no > "--hashlimit-mode" I get the same, a max of 100/sec, even if I set for > exemple to 250/sec. My command setting the 250/sec is accepted, with > no error, but test show only 100 match/sec. > > Is this a hard limit of this modules, or I can go above this in some way? > > Best regards, > > Klaubert > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Are limit and hashlimit "limited"? 2012-05-14 22:45 ` Payam Chychi @ 2012-05-14 22:53 ` Jan Engelhardt 2012-05-14 22:58 ` Payam Chychi 2012-05-14 23:01 ` Payam Chychi 2012-05-15 1:34 ` Jan Engelhardt 1 sibling, 2 replies; 8+ messages in thread From: Jan Engelhardt @ 2012-05-14 22:53 UTC (permalink / raw) To: Payam Chychi; +Cc: Klaubert Herr da Silveira, netfilter@vger.kernel.org On Tuesday 2012-05-15 00:45, Payam Chychi wrote: >limit and hashlimit have never worked properly, one reason being the >system bus speed. Can you actually *back up that statement*? ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Are limit and hashlimit "limited"? 2012-05-14 22:53 ` Jan Engelhardt @ 2012-05-14 22:58 ` Payam Chychi 2012-05-14 23:01 ` Payam Chychi 1 sibling, 0 replies; 8+ messages in thread From: Payam Chychi @ 2012-05-14 22:58 UTC (permalink / raw) To: Jan Engelhardt; +Cc: Klaubert Herr da Silveira, netfilter@vger.kernel.org its well documented and initially came to my attention about 3 years ago. A few people even wrote papers on it and the testing they performed and their findings. Its been a while so perhaps a google search and a bit of reading might be required but it is most def a known issue -Payam On 12-05-14 3:53 PM, Jan Engelhardt wrote: > On Tuesday 2012-05-15 00:45, Payam Chychi wrote: > >> limit and hashlimit have never worked properly, one reason being the >> system bus speed. > Can you actually *back up that statement*? ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Are limit and hashlimit "limited"? 2012-05-14 22:53 ` Jan Engelhardt 2012-05-14 22:58 ` Payam Chychi @ 2012-05-14 23:01 ` Payam Chychi 2012-05-15 0:52 ` Jan Engelhardt 1 sibling, 1 reply; 8+ messages in thread From: Payam Chychi @ 2012-05-14 23:01 UTC (permalink / raw) To: Jan Engelhardt; +Cc: Klaubert Herr da Silveira, netfilter@vger.kernel.org just found it... my initial question back in 2008: http://comments.gmane.org/gmane.comp.security.firewalls.netfilter.general/35045 white paper on the issue: http://people.netfilter.org/acidfu/papers/limit-tbf-analysis.pdf Cheers -Payam On 12-05-14 3:53 PM, Jan Engelhardt wrote: > On Tuesday 2012-05-15 00:45, Payam Chychi wrote: > >> limit and hashlimit have never worked properly, one reason being the >> system bus speed. > Can you actually *back up that statement*? ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Are limit and hashlimit "limited"? 2012-05-14 23:01 ` Payam Chychi @ 2012-05-15 0:52 ` Jan Engelhardt 0 siblings, 0 replies; 8+ messages in thread From: Jan Engelhardt @ 2012-05-15 0:52 UTC (permalink / raw) To: Payam Chychi; +Cc: Klaubert Herr da Silveira, netfilter@vger.kernel.org On Tuesday 2012-05-15 01:01, Payam Chychi wrote: > On 12-05-14 3:53 PM, Jan Engelhardt wrote: >> On Tuesday 2012-05-15 00:45, Payam Chychi wrote: >> >>> limit and hashlimit have never worked properly, one reason being the >>> system bus speed. >> >> Can you actually *back up that statement*? > > white paper on the issue: > http://people.netfilter.org/acidfu/papers/limit-tbf-analysis.pdf The math issues are knwon yes; the question was related to that ominous "system bus" of yours. (FSB? D-BUS?) ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Are limit and hashlimit "limited"? 2012-05-14 22:45 ` Payam Chychi 2012-05-14 22:53 ` Jan Engelhardt @ 2012-05-15 1:34 ` Jan Engelhardt 2012-05-15 18:20 ` Klaubert Herr da Silveira 1 sibling, 1 reply; 8+ messages in thread From: Jan Engelhardt @ 2012-05-15 1:34 UTC (permalink / raw) To: Payam Chychi; +Cc: Klaubert Herr da Silveira, netfilter@vger.kernel.org On Tuesday 2012-05-15 00:45, Payam Chychi wrote: >> I'm playing with match modules limit and hashlimit, and they appear to >> be limited to match a maximun 100/sec. If I use hashlimit with no >> "--hashlimit-mode" I get the same, a max of 100/sec, even if I set for >> exemple to 250/sec. My command setting the 250/sec is accepted, with >> no error, but test show only 100 match/sec. >> >> Is this a hard limit of this modules, or I can go above this in some way? > >limit and hashlimit have never worked properly Best is to collect packets using -j RATEEST and then matching against it with -m rateest. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Are limit and hashlimit "limited"? 2012-05-15 1:34 ` Jan Engelhardt @ 2012-05-15 18:20 ` Klaubert Herr da Silveira 0 siblings, 0 replies; 8+ messages in thread From: Klaubert Herr da Silveira @ 2012-05-15 18:20 UTC (permalink / raw) To: Jan Engelhardt; +Cc: Payam Chychi, netfilter@vger.kernel.org So, I have learned alot in this topic, thank to all that answered. And if I understand correctly, beside the error in overflow handling mentioned in the Nicolas's paper, we only get a high accuracy with limit or hashlimit if HZ be very high, to avoid the colision on concurrent packets arriving in the same slice of 10ms, 4ms or 1ms, but changing the HZ can be some side effects. So, can be useful to submit the Nicolas's patch again :) In this meantime, I'll try rateest and find out how it can fit my needs. Thanks, Klaubert On Mon, May 14, 2012 at 10:34 PM, Jan Engelhardt <jengelh@inai.de> wrote: > On Tuesday 2012-05-15 00:45, Payam Chychi wrote: > >>> I'm playing with match modules limit and hashlimit, and they appear to >>> be limited to match a maximun 100/sec. If I use hashlimit with no >>> "--hashlimit-mode" I get the same, a max of 100/sec, even if I set for >>> exemple to 250/sec. My command setting the 250/sec is accepted, with >>> no error, but test show only 100 match/sec. >>> >>> Is this a hard limit of this modules, or I can go above this in some way? >> >>limit and hashlimit have never worked properly > > Best is to collect packets using -j RATEEST and then matching > against it with -m rateest. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2012-05-15 18:20 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-05-14 22:30 Are limit and hashlimit "limited"? Klaubert Herr da Silveira 2012-05-14 22:45 ` Payam Chychi 2012-05-14 22:53 ` Jan Engelhardt 2012-05-14 22:58 ` Payam Chychi 2012-05-14 23:01 ` Payam Chychi 2012-05-15 0:52 ` Jan Engelhardt 2012-05-15 1:34 ` Jan Engelhardt 2012-05-15 18:20 ` Klaubert Herr da Silveira
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox