1 \fBhashlimit\fP uses hash buckets to express a rate limiting match (like the 2 \fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables 3 rule. Grouping can be done per-hostgroup (source and/or destination address) 4 and/or per-port. It gives you the ability to express "\fIN\fP packets per time 5 quantum per group" or "\fIN\fP bytes per seconds" (see below for some examples). 6 .PP 7 A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and 8 \fB\-\-hashlimit\-name\fP are required. 9 .TP 10 \fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] 11 Match if the rate is below or equal to \fIamount\fP/quantum. It is specified either as 12 a number, with an optional time quantum suffix (the default is 3/hour), or as 13 \fIamount\fPb/second (number of bytes per second). 14 .TP 15 \fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] 16 Match if the rate is above \fIamount\fP/quantum. 17 .TP 18 \fB\-\-hashlimit\-burst\fP \fIamount\fP 19 Maximum initial number of packets to match: this number gets recharged by one 20 every time the limit specified above is not reached, up to this number; the 21 default is 5. When byte-based rate matching is requested, this option specifies 22 the amount of bytes that can exceed the given rate. This option should be used 23 with caution -- if the entry expires, the burst value is reset too. 24 .TP 25 \fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP... 26 A comma-separated list of objects to take into consideration. If no 27 \-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the 28 expensive of doing the hash housekeeping. 29 .TP 30 \fB\-\-hashlimit\-srcmask\fP \fIprefix\fP 31 When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be 32 grouped according to the given prefix length and the so-created subnet will be 33 subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note 34 that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying 35 srcip for \-\-hashlimit\-mode, but is technically more expensive. 36 .TP 37 \fB\-\-hashlimit\-dstmask\fP \fIprefix\fP 38 Like \-\-hashlimit\-srcmask, but for destination addresses. 39 .TP 40 \fB\-\-hashlimit\-name\fP \fIfoo\fP 41 The name for the /proc/net/ipt_hashlimit/foo entry. 42 .TP 43 \fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP 44 The number of buckets of the hash table 45 .TP 46 \fB\-\-hashlimit\-htable\-max\fP \fIentries\fP 47 Maximum entries in the hash. 48 .TP 49 \fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP 50 After how many milliseconds do hash entries expire. 51 .TP 52 \fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP 53 How many milliseconds between garbage collection intervals. 54 .PP 55 Examples: 56 .TP 57 matching on source host 58 "1000 packets per second for every host in 192.168.0.0/16" => 59 \-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec 60 .TP 61 matching on source port 62 "100 packets per second for every service of 192.168.1.1" => 63 \-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec 64 .TP 65 matching on subnet 66 "10000 packets per minute for every /28 subnet (groups of 8 addresses) 67 in 10.0.0.0/8" => 68 \-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min 69 .TP 70 matching bytes per second 71 "flows exceeding 512kbyte/s" => 72 \-\-hashlimit-mode srcip,dstip,srcport,dstport \-\-hashlimit\-above 512kb/s 73 .TP 74 matching bytes per second 75 "hosts that exceed 512kbyte/s, but permit up to 1Megabytes without matching" 76 \-\-hashlimit-mode dstip \-\-hashlimit\-above 512kb/s \-\-hashlimit-burst 1mb 77
