Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / iptables / f53710b16c2bae1843c3f5fee390f496dfa82526 / . / extensions / libxt_hashlimit.man
blob: f90577e77796502fac2ccc368a0863483aad4045 [file] [log] [blame]
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]1\fBhashlimit\fP uses hash buckets to express a rate limiting match (like the
2\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables
Jan Engelhardt9a8c77f2008-02-11 00:55:33 +0100[diff] [blame]3rule. Grouping can be done per-hostgroup (source and/or destination address)
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]4and/or per-port. It gives you the ability to express "\fIN\fP packets per time
Jan Engelhardt88cfbe22011-05-21 00:59:11 +0200[diff] [blame]5quantum per group" (see below for some examples).
Jan Engelhardt9a8c77f2008-02-11 00:55:33 +0100[diff] [blame]6.PP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]7A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and
8\fB\-\-hashlimit\-name\fP are required.
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]9.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]10\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]11Match if the rate is below or equal to \fIamount\fP/quantum. It is specified as
Jan Engelhardt9a8c77f2008-02-11 00:55:33 +0100[diff] [blame]12a number, with an optional time quantum suffix; the default is 3/hour.
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]13.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]14\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]15Match if the rate is above \fIamount\fP/quantum.
Jan Engelhardt9a8c77f2008-02-11 00:55:33 +0100[diff] [blame]16.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]17\fB\-\-hashlimit\-burst\fP \fIamount\fP
Jan Engelhardt9a8c77f2008-02-11 00:55:33 +0100[diff] [blame]18Maximum initial number of packets to match: this number gets recharged by one
19every time the limit specified above is not reached, up to this number; the
20default is 5.
21.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]22\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP...
Jan Engelhardt9a8c77f2008-02-11 00:55:33 +0100[diff] [blame]23A comma-separated list of objects to take into consideration. If no
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]24\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the
Jan Engelhardt9a8c77f2008-02-11 00:55:33 +0100[diff] [blame]25expensive of doing the hash housekeeping.
26.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]27\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP
28When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be
Jan Engelhardt9a8c77f2008-02-11 00:55:33 +0100[diff] [blame]29grouped according to the given prefix length and the so-created subnet will be
Jan Engelhardtc6775d62010-07-23 21:23:05 +0200[diff] [blame]30subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]31that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying
32srcip for \-\-hashlimit\-mode, but is technically more expensive.
Jan Engelhardt9a8c77f2008-02-11 00:55:33 +0100[diff] [blame]33.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]34\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP
35Like \-\-hashlimit\-srcmask, but for destination addresses.
Jan Engelhardt9a8c77f2008-02-11 00:55:33 +0100[diff] [blame]36.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]37\fB\-\-hashlimit\-name\fP \fIfoo\fP
Jan Engelhardt9a8c77f2008-02-11 00:55:33 +0100[diff] [blame]38The name for the /proc/net/ipt_hashlimit/foo entry.
39.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]40\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]41The number of buckets of the hash table
42.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]43\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP
Jan Engelhardt9a8c77f2008-02-11 00:55:33 +0100[diff] [blame]44Maximum entries in the hash.
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]45.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]46\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP
Jan Engelhardt6cf172e2008-03-10 17:48:59 +0100[diff] [blame]47After how many milliseconds do hash entries expire.
Jonas Berlinf33c4612005-04-01 06:54:23 +0000[diff] [blame]48.TP
Jan Engelhardtfea74bf2009-01-12 04:53:18 +0100[diff] [blame]49\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP
Jan Engelhardt6cf172e2008-03-10 17:48:59 +0100[diff] [blame]50How many milliseconds between garbage collection intervals.
Jan Engelhardt88cfbe22011-05-21 00:59:11 +0200[diff] [blame]51.PP
52Examples:
53.TP
54matching on source host
55"1000 packets per second for every host in 192.168.0.0/16" =>
56\-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec
57.TP
58matching on source port
59"100 packets per second for every service of 192.168.1.1" =>
60\-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec
61.TP
62matching on subnet
63"10000 packets per minute for every /28 subnet (groups of 8 addresses)
64in 10.0.0.0/8" =>
65\-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min