libxt_hashlimit.man revision c6775d6c192f7e337360f238cc3ab224a406d5b8
1\fBhashlimit\fP uses hash buckets to express a rate limiting match (like the 2\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables 3rule. Grouping can be done per-hostgroup (source and/or destination address) 4and/or per-port. It gives you the ability to express "\fIN\fP packets per time 5quantum per group": 6.TP 7matching on source host 8"1000 packets per second for every host in 192.168.0.0/16" 9.TP 10matching on source port 11"100 packets per second for every service of 192.168.1.1" 12.TP 13matching on subnet 14"10000 packets per minute for every /28 subnet in 10.0.0.0/8" 15.PP 16A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and 17\fB\-\-hashlimit\-name\fP are required. 18.TP 19\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] 20Match if the rate is below or equal to \fIamount\fP/quantum. It is specified as 21a number, with an optional time quantum suffix; the default is 3/hour. 22.TP 23\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] 24Match if the rate is above \fIamount\fP/quantum. 25.TP 26\fB\-\-hashlimit\-burst\fP \fIamount\fP 27Maximum initial number of packets to match: this number gets recharged by one 28every time the limit specified above is not reached, up to this number; the 29default is 5. 30.TP 31\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP... 32A comma-separated list of objects to take into consideration. If no 33\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the 34expensive of doing the hash housekeeping. 35.TP 36\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP 37When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be 38grouped according to the given prefix length and the so-created subnet will be 39subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note 40that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying 41srcip for \-\-hashlimit\-mode, but is technically more expensive. 42.TP 43\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP 44Like \-\-hashlimit\-srcmask, but for destination addresses. 45.TP 46\fB\-\-hashlimit\-name\fP \fIfoo\fP 47The name for the /proc/net/ipt_hashlimit/foo entry. 48.TP 49\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP 50The number of buckets of the hash table 51.TP 52\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP 53Maximum entries in the hash. 54.TP 55\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP 56After how many milliseconds do hash entries expire. 57.TP 58\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP 59How many milliseconds between garbage collection intervals. 60