http://comments.gmane.org/gmane.comp.security.firewalls.netfilter.general/35045
--
Payam Chychi
Network Engineer / Security Specialist
I might be bothering too muchbut I am not able to find any info on
this on google. Looks like everyone is happy using hashlimit for
bandwidth control and I am the only one in the desert trying to
survive. Please help.
This is an old and well covered item, google can be of help
You wont get the required results hashlimit takes your clockspeed into
account... Amongs a few others.
Kindly google
--
Payam Chychi
Network Engineer / Security Specialist
Hi!
I want to use hashlimit for giving all my users a fix set of bandwidth
of 512kbps for accessing internet.
I am using following command.
# allowing return packets so that rate limiting is done only on forward packets.
iptables -A FORWARD -s 192.168.192.168 -j ACCEPT
# If limit is upto 512 then allow
iptables -A FORWARD -m hashlimit --hashlimit-name test512
--hashlimit-mode srcip --hashlimit-htable-size 1000
--hashlimit-htable-max 1000 --hashlimit-upto 64kb/s --hashlimit-burst
128kb -j ACCEPT
# else drop
iptables -A FORWARD -j DROP
I am not observing the expected behaviour.
I am sending ping of 100 bytes continously at 10 msec interval.
What I observed is , I got back reply of only first 2 pings and for
remaining there is no reply. Nest reply came only after 103 Seconds
!!! and that too only a single reply.
output of iptables -L -n -v also shows only 2 packets matching this rule.
output of command cat /proc/net/ipt_hashlimit/test512 come like
59 10.10.10.10:0->192.168.192.168:0 764416 6688000 3328000
the number 764416 keeps on increasing but not observed any reply till
it reaches the value of 3328000. But it takes huge time (~103 Seconds)
to reach that value.
Can anyone please explain all this behaviour ?
Thank you .
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
More majordomo info at http://vger.kernel.org/majordomo-info.html