Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 1 | \fBhashlimit\fP uses hash buckets to express a rate limiting match (like the |
| 2 | \fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 3 | rule. Grouping can be done per-hostgroup (source and/or destination address) |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 4 | and/or per-port. It gives you the ability to express "\fIN\fP packets per time |
Jan Engelhardt | 88cfbe2 | 2011-05-21 00:59:11 +0200 | [diff] [blame] | 5 | quantum per group" (see below for some examples). |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 6 | .PP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 7 | A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and |
| 8 | \fB\-\-hashlimit\-name\fP are required. |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 9 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 10 | \fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 11 | Match if the rate is below or equal to \fIamount\fP/quantum. It is specified as |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 12 | a number, with an optional time quantum suffix; the default is 3/hour. |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 13 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 14 | \fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 15 | Match if the rate is above \fIamount\fP/quantum. |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 16 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 17 | \fB\-\-hashlimit\-burst\fP \fIamount\fP |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 18 | Maximum initial number of packets to match: this number gets recharged by one |
| 19 | every time the limit specified above is not reached, up to this number; the |
| 20 | default is 5. |
| 21 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 22 | \fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP... |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 23 | A comma-separated list of objects to take into consideration. If no |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 24 | \-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 25 | expensive of doing the hash housekeeping. |
| 26 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 27 | \fB\-\-hashlimit\-srcmask\fP \fIprefix\fP |
| 28 | When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 29 | grouped according to the given prefix length and the so-created subnet will be |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 30 | subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 31 | that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying |
| 32 | srcip for \-\-hashlimit\-mode, but is technically more expensive. |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 33 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 34 | \fB\-\-hashlimit\-dstmask\fP \fIprefix\fP |
| 35 | Like \-\-hashlimit\-srcmask, but for destination addresses. |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 36 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 37 | \fB\-\-hashlimit\-name\fP \fIfoo\fP |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 38 | The name for the /proc/net/ipt_hashlimit/foo entry. |
| 39 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 40 | \fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 41 | The number of buckets of the hash table |
| 42 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 43 | \fB\-\-hashlimit\-htable\-max\fP \fIentries\fP |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 44 | Maximum entries in the hash. |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 45 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 46 | \fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP |
Jan Engelhardt | 6cf172e | 2008-03-10 17:48:59 +0100 | [diff] [blame] | 47 | After how many milliseconds do hash entries expire. |
Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 48 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 49 | \fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP |
Jan Engelhardt | 6cf172e | 2008-03-10 17:48:59 +0100 | [diff] [blame] | 50 | How many milliseconds between garbage collection intervals. |
Jan Engelhardt | 88cfbe2 | 2011-05-21 00:59:11 +0200 | [diff] [blame] | 51 | .PP |
| 52 | Examples: |
| 53 | .TP |
| 54 | matching on source host |
| 55 | "1000 packets per second for every host in 192.168.0.0/16" => |
| 56 | \-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec |
| 57 | .TP |
| 58 | matching on source port |
| 59 | "100 packets per second for every service of 192.168.1.1" => |
| 60 | \-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec |
| 61 | .TP |
| 62 | matching on subnet |
| 63 | "10000 packets per minute for every /28 subnet (groups of 8 addresses) |
| 64 | in 10.0.0.0/8" => |
| 65 | \-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min |