libxt_hashlimit.man revision c5424b94a548cd549b2be1396ce35f82f2df18bf 
1\fBhashlimit\fR uses hash buckets to express a rate limiting match (like the
2\fBlimit\fR match) for a group of connections using a \fBsingle\fR iptables
3rule. Grouping can be done per-hostgroup (source and/or destination address)
4and/or per-port. It gives you the ability to express "\fIN\fR packets per time
5quantum per group":
6.TP
7matching on source host
8"1000 packets per second for every host in 192.168.0.0/16"
9.TP
10matching on source port
11"100 packets per second for every service of 192.168.1.1"
12.TP
13matching on subnet
14"10000 packets per minute for every /28 subnet in 10.0.0.0/8"
15.PP
16A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and
17\fB\-\-hashlimit\-name\fP are required.
18.TP
19\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
20Match if the rate is below or equal to \fIamount\fR/quantum. It is specified as
21a number, with an optional time quantum suffix; the default is 3/hour.
22.TP
23\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
24Match if the rate is above \fIamount\fR/quantum.
25.TP
26\fB\-\-hashlimit\-burst\fP \fIamount\fP
27Maximum initial number of packets to match: this number gets recharged by one
28every time the limit specified above is not reached, up to this number; the
29default is 5.
30.TP
31\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP...
32A comma-separated list of objects to take into consideration. If no
33\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the
34expensive of doing the hash housekeeping.
35.TP
36\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP
37When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be
38grouped according to the given prefix length and the so-created subnet will be
39subject to hashlimit. \fIprefix\fR must be between (inclusive) 0 and 32. Note
40that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying
41srcip for \-\-hashlimit\-mode, but is technically more expensive.
42.TP
43\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP
44Like \-\-hashlimit\-srcmask, but for destination addresses.
45.TP
46\fB\-\-hashlimit\-name\fP \fIfoo\fP
47The name for the /proc/net/ipt_hashlimit/foo entry.
48.TP
49\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP
50The number of buckets of the hash table
51.TP
52\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP
53Maximum entries in the hash.
54.TP
55\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP
56After how many milliseconds do hash entries expire.
57.TP
58\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP
59How many milliseconds between garbage collection intervals.
60