- Subject: iptables hashlimit question
- From: Yucong Sun (叶雨飞) <sunyucong@xxxxxxxxx>
- Date: Sat, 9 Jun 2012 11:33:31 -0700
Hi,
I've been trying to setup hashlimit on a linux (as a l3 gateway) to
limit the pps per each IP, i have two questions:
1) for performance reason I have marked all traffic forwared by the
box to NOTRACK in raw table, would that affect hashlimit in anyway?
2) (there's only about 200 ips total) I found out when I use this
iptables -A FORWARD
-m hashlimit --hashlimit-name limit1 \
--hashlimit-htable-size 4096 --hashlimit-htable-expire 60000 \
--hashlimit-srcmask 32 --hashlimit-mode srcip \
--hashlimit-upto 100/sec \
-j ACCEPT
it still drops quite a few packets even thought the rate is well under
100/sec, then I found out if I add
--hashlimit-burst 100 , no packets will be dropped anymore (it appears
to be working correctly), the doucment is very vague on this burst
param, how much should I set it to if I just want to limit packet at
100/sec ?
also does -hashlimit-htable-expire affect the rate limiting?
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]
[Linux Kernel Networking Development]
[Linux Kernel Development]
[Linux Resources]
[Advanced Routing & Traffice Control]
[Bugtraq]
[Free Internet Dating]
[Yosemite Forum]
[Photos]
