* xt_hashlimit: max count of 8192 reached
@ 2012-11-18 16:45 Marco Padovan
[not found] ` <CAJygYd3kr9a-LVXAhPyrDyXuPCGo2GZeOj156yLV=Tfen_+09w@mail.gmail.com>
0 siblings, 1 reply; 2+ messages in thread
From: Marco Padovan @ 2012-11-18 16:45 UTC (permalink / raw)
To: netfilter
I'm using this ruleon iptables v1.4.7
iptables -A INSYNSRCLIMITER -m hashlimit --hashlimit-htable-expire 10000
--hashlimit-htable-size 8192 --hashlimit-htable-max 8192
--hashlimit-mode srcip --hashlimit-name insynlimiter --hashlimit 1/s
--hashlimit-burst 25 -j RETURN
while being "synflooded" and I'm seeing a lot of
xt_hashlimit: max count of 8192 reached
errors logged... really a lot (just to explain how many of those: got a
bunch of "net_ratelimit: 42695 callbacks suppressed"logged too...)
What does exactly that errors mean?
did there was more then 8192 srcip to track and hashlimit went in
overflow or am I using --hashlimit-htable-size and
--hashlimit-htable-max in the wrong way?
^ permalink raw reply [flat|nested] 2+ messages in thread[parent not found: <CAJygYd3kr9a-LVXAhPyrDyXuPCGo2GZeOj156yLV=Tfen_+09w@mail.gmail.com>]
* Re: xt_hashlimit: max count of 8192 reached [not found] ` <CAJygYd3kr9a-LVXAhPyrDyXuPCGo2GZeOj156yLV=Tfen_+09w@mail.gmail.com> @ 2012-11-19 5:41 ` 叶雨飞 0 siblings, 0 replies; 2+ messages in thread From: 叶雨飞 @ 2012-11-19 5:41 UTC (permalink / raw) To: Marco Padovan; +Cc: netfilter those size means the hashtable size is 8192 and each incoming connection take one place, because you are hashing by srcip, that means you are tracking at most 8192 ip at same time. When hashtable is full and you will see that log and old entries will be dropped from the table to make room for new one. that will cause inaccurate tracking and all sorts of performance problem too On Sun, Nov 18, 2012 at 6:35 PM, 叶雨飞 <sunyucong@gmail.com> wrote: > those size means the hashtable size is 8192 and each incoming connection > take one place, because you are hashing by srcip, that means you are > tracking at most 8192 ip at same time. > > When hashtable is full and you will see that log and old entries will be > dropped from the table to make room for new one. > > > On Sun, Nov 18, 2012 at 8:45 AM, Marco Padovan <evcz@evcz.tk> wrote: >> >> I'm using this ruleon iptables v1.4.7 >> >> >> iptables -A INSYNSRCLIMITER -m hashlimit --hashlimit-htable-expire 10000 >> --hashlimit-htable-size 8192 --hashlimit-htable-max 8192 >> --hashlimit-mode srcip --hashlimit-name insynlimiter --hashlimit 1/s >> --hashlimit-burst 25 -j RETURN >> >> >> while being "synflooded" and I'm seeing a lot of >> >> xt_hashlimit: max count of 8192 reached >> >> errors logged... really a lot (just to explain how many of those: got a >> bunch of "net_ratelimit: 42695 callbacks suppressed"logged too...) >> >> What does exactly that errors mean? >> >> did there was more then 8192 srcip to track and hashlimit went in >> overflow or am I using --hashlimit-htable-size and >> --hashlimit-htable-max in the wrong way? >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html > > ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-11-19 5:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-18 16:45 xt_hashlimit: max count of 8192 reached Marco Padovan
[not found] ` <CAJygYd3kr9a-LVXAhPyrDyXuPCGo2GZeOj156yLV=Tfen_+09w@mail.gmail.com>
2012-11-19 5:41 ` 叶雨飞
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox