iptables hashlimit question

iptables hashlimit question

[Yucong Sun (叶雨飞)]

Hi,

I've been trying to setup hashlimit on a linux (as a l3 gateway) to
limit the pps per each IP, i have two questions:

1) for performance reason I have marked all traffic forwared by the
box to NOTRACK in raw table, would that affect hashlimit in anyway?

2) (there's only about 200 ips total) I found out when I  use this
iptables -A FORWARD
 -m hashlimit --hashlimit-name limit1 \
 --hashlimit-htable-size 4096 --hashlimit-htable-expire 60000 \
 --hashlimit-srcmask 32 --hashlimit-mode srcip \
 --hashlimit-upto 100/sec \
 -j ACCEPT

it still drops quite a few packets even thought the rate is well under
100/sec, then I found out if I add

--hashlimit-burst 100 , no packets will be dropped anymore (it appears
to be working correctly), the doucment is very vague on this burst
param, how much should I set it to if I just want to limit packet at
100/sec ?

also does  -hashlimit-htable-expire affect the rate limiting?

Thanks.

Re: iptables hashlimit question

[Marco Padovan]

Default burst AFAIK is set to 5 ( #define XT_HASHLIMIT_BURST    5 ) so
in your case the bucket is filled with 105 (100+5) coins AFTER the first
second is passed... that means that *before* the full second ticks your
bucket will have less then 105 coins....

you should set the burst at least to the same value of the rate
limititing you want to achieve...

high hashlimit-htable-expire values shouldn't affect the rate limiting
*if you are not reaching the table size limits*...
if the table is full and expire is too long you can have problems and
cause the rule to get skipped/fail...


Il 09/06/2012 20:33, Yucong Sun (叶雨飞) ha scritto:
> Hi,
>
> I've been trying to setup hashlimit on a linux (as a l3 gateway) to
> limit the pps per each IP, i have two questions:
>
> 1) for performance reason I have marked all traffic forwared by the
> box to NOTRACK in raw table, would that affect hashlimit in anyway?
>
> 2) (there's only about 200 ips total) I found out when I  use this
> iptables -A FORWARD
>  -m hashlimit --hashlimit-name limit1 \
>  --hashlimit-htable-size 4096 --hashlimit-htable-expire 60000 \
>  --hashlimit-srcmask 32 --hashlimit-mode srcip \
>  --hashlimit-upto 100/sec \
>  -j ACCEPT
>
> it still drops quite a few packets even thought the rate is well under
> 100/sec, then I found out if I add
>
> --hashlimit-burst 100 , no packets will be dropped anymore (it appears
> to be working correctly), the doucment is very vague on this burst
> param, how much should I set it to if I just want to limit packet at
> 100/sec ?
>
> also does  -hashlimit-htable-expire affect the rate limiting?
>
> Thanks.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables hashlimit question

[Yucong Sun (叶雨飞)]

Thanks! However when i was reading xt_hashlimit.c , it notice that it
is actually doing credit = cfg.avg * cfg.burst  , how would that work?

Also, I just want to confirm that this rule is packet by packet
matching, right? i have all traffic under NOTRACK.

Thanks.