1 \fBhashlimit\fP uses hash buckets to express a rate limiting match (like the 2 \fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables 3 rule. Grouping can be done per-hostgroup (source and/or destination address) 4 and/or per-port. It gives you the ability to express "\fIN\fP packets per time 5 quantum per group" (see below for some examples). 6 .PP 7 A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and 8 \fB\-\-hashlimit\-name\fP are required. 9 .TP 10 \fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] 11 Match if the rate is below or equal to \fIamount\fP/quantum. It is specified as 12 a number, with an optional time quantum suffix; the default is 3/hour. 13 .TP 14 \fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] 15 Match if the rate is above \fIamount\fP/quantum. 16 .TP 17 \fB\-\-hashlimit\-burst\fP \fIamount\fP 18 Maximum initial number of packets to match: this number gets recharged by one 19 every time the limit specified above is not reached, up to this number; the 20 default is 5. 21 .TP 22 \fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP... 23 A comma-separated list of objects to take into consideration. If no 24 \-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the 25 expensive of doing the hash housekeeping. 26 .TP 27 \fB\-\-hashlimit\-srcmask\fP \fIprefix\fP 28 When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be 29 grouped according to the given prefix length and the so-created subnet will be 30 subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note 31 that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying 32 srcip for \-\-hashlimit\-mode, but is technically more expensive. 33 .TP 34 \fB\-\-hashlimit\-dstmask\fP \fIprefix\fP 35 Like \-\-hashlimit\-srcmask, but for destination addresses. 36 .TP 37 \fB\-\-hashlimit\-name\fP \fIfoo\fP 38 The name for the /proc/net/ipt_hashlimit/foo entry. 39 .TP 40 \fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP 41 The number of buckets of the hash table 42 .TP 43 \fB\-\-hashlimit\-htable\-max\fP \fIentries\fP 44 Maximum entries in the hash. 45 .TP 46 \fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP 47 After how many milliseconds do hash entries expire. 48 .TP 49 \fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP 50 How many milliseconds between garbage collection intervals. 51 .PP 52 Examples: 53 .TP 54 matching on source host 55 "1000 packets per second for every host in 192.168.0.0/16" => 56 \-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec 57 .TP 58 matching on source port 59 "100 packets per second for every service of 192.168.1.1" => 60 \-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec 61 .TP 62 matching on subnet 63 "10000 packets per minute for every /28 subnet (groups of 8 addresses) 64 in 10.0.0.0/8" => 65 \-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min 66
