From: Marco Padovan <evcz@evcz.tk>
Cc: netfilter@vger.kernel.org
Subject: Re: iptables hashlimit question
Date: Sat, 09 Jun 2012 21:06:10 +0200 [thread overview]
Message-ID: <4FD39EA2.20302@evcz.tk> (raw)
In-Reply-To: <CAJygYd1qba-vxbCqtBB2k_XrL4GSz_ysDrDOJ96VSk5uCbo7cQ@mail.gmail.com>
Default burst AFAIK is set to 5 ( #define XT_HASHLIMIT_BURST 5 ) so
in your case the bucket is filled with 105 (100+5) coins AFTER the first
second is passed... that means that *before* the full second ticks your
bucket will have less then 105 coins....
you should set the burst at least to the same value of the rate
limititing you want to achieve...
high hashlimit-htable-expire values shouldn't affect the rate limiting
*if you are not reaching the table size limits*...
if the table is full and expire is too long you can have problems and
cause the rule to get skipped/fail...
Il 09/06/2012 20:33, Yucong Sun (叶雨飞) ha scritto:
> Hi,
>
> I've been trying to setup hashlimit on a linux (as a l3 gateway) to
> limit the pps per each IP, i have two questions:
>
> 1) for performance reason I have marked all traffic forwared by the
> box to NOTRACK in raw table, would that affect hashlimit in anyway?
>
> 2) (there's only about 200 ips total) I found out when I use this
> iptables -A FORWARD
> -m hashlimit --hashlimit-name limit1 \
> --hashlimit-htable-size 4096 --hashlimit-htable-expire 60000 \
> --hashlimit-srcmask 32 --hashlimit-mode srcip \
> --hashlimit-upto 100/sec \
> -j ACCEPT
>
> it still drops quite a few packets even thought the rate is well under
> 100/sec, then I found out if I add
>
> --hashlimit-burst 100 , no packets will be dropped anymore (it appears
> to be working correctly), the doucment is very vague on this burst
> param, how much should I set it to if I just want to limit packet at
> 100/sec ?
>
> also does -hashlimit-htable-expire affect the rate limiting?
>
> Thanks.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-06-09 19:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-09 18:33 iptables hashlimit question Yucong Sun (叶雨飞)
2012-06-09 19:06 ` Marco Padovan [this message]
2012-06-09 21:11 ` Yucong Sun (叶雨飞)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FD39EA2.20302@evcz.tk \
--to=evcz@evcz.tk \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).