* iptables hashlimit question
@ 2012-06-09 18:33 Yucong Sun (叶雨飞)
2012-06-09 19:06 ` Marco Padovan
0 siblings, 1 reply; 3+ messages in thread
From: Yucong Sun (叶雨飞) @ 2012-06-09 18:33 UTC (permalink / raw)
To: netfilter
Hi,
I've been trying to setup hashlimit on a linux (as a l3 gateway) to
limit the pps per each IP, i have two questions:
1) for performance reason I have marked all traffic forwared by the
box to NOTRACK in raw table, would that affect hashlimit in anyway?
2) (there's only about 200 ips total) I found out when I use this
iptables -A FORWARD
-m hashlimit --hashlimit-name limit1 \
--hashlimit-htable-size 4096 --hashlimit-htable-expire 60000 \
--hashlimit-srcmask 32 --hashlimit-mode srcip \
--hashlimit-upto 100/sec \
-j ACCEPT
it still drops quite a few packets even thought the rate is well under
100/sec, then I found out if I add
--hashlimit-burst 100 , no packets will be dropped anymore (it appears
to be working correctly), the doucment is very vague on this burst
param, how much should I set it to if I just want to limit packet at
100/sec ?
also does -hashlimit-htable-expire affect the rate limiting?
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: iptables hashlimit question
2012-06-09 18:33 iptables hashlimit question Yucong Sun (叶雨飞)
@ 2012-06-09 19:06 ` Marco Padovan
2012-06-09 21:11 ` Yucong Sun (叶雨飞)
0 siblings, 1 reply; 3+ messages in thread
From: Marco Padovan @ 2012-06-09 19:06 UTC (permalink / raw)
Cc: netfilter
Default burst AFAIK is set to 5 ( #define XT_HASHLIMIT_BURST 5 ) so
in your case the bucket is filled with 105 (100+5) coins AFTER the first
second is passed... that means that *before* the full second ticks your
bucket will have less then 105 coins....
you should set the burst at least to the same value of the rate
limititing you want to achieve...
high hashlimit-htable-expire values shouldn't affect the rate limiting
*if you are not reaching the table size limits*...
if the table is full and expire is too long you can have problems and
cause the rule to get skipped/fail...
Il 09/06/2012 20:33, Yucong Sun (叶雨飞) ha scritto:
> Hi,
>
> I've been trying to setup hashlimit on a linux (as a l3 gateway) to
> limit the pps per each IP, i have two questions:
>
> 1) for performance reason I have marked all traffic forwared by the
> box to NOTRACK in raw table, would that affect hashlimit in anyway?
>
> 2) (there's only about 200 ips total) I found out when I use this
> iptables -A FORWARD
> -m hashlimit --hashlimit-name limit1 \
> --hashlimit-htable-size 4096 --hashlimit-htable-expire 60000 \
> --hashlimit-srcmask 32 --hashlimit-mode srcip \
> --hashlimit-upto 100/sec \
> -j ACCEPT
>
> it still drops quite a few packets even thought the rate is well under
> 100/sec, then I found out if I add
>
> --hashlimit-burst 100 , no packets will be dropped anymore (it appears
> to be working correctly), the doucment is very vague on this burst
> param, how much should I set it to if I just want to limit packet at
> 100/sec ?
>
> also does -hashlimit-htable-expire affect the rate limiting?
>
> Thanks.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-06-09 21:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-06-09 18:33 iptables hashlimit question Yucong Sun (叶雨飞)
2012-06-09 19:06 ` Marco Padovan
2012-06-09 21:11 ` Yucong Sun (叶雨飞)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).