Well, only TCP has connections, UDP has non it is only a stream of packets. So for each user (IP) you could make a class for TCP and one for UDP. IP / \ TCP UDP The TCP class you already know how to limit, the UDP class I would limit with pfifo with a suitable packet limit setting (in pratice this would lead to det same effect as the TCP conn. limiting). Although not a hard limit. Extra: I would make a seperate high prio class for ICMP to communicate error, connection failures back and forth. NB! P2P normally used TCP (I know the bittorent does) BR Rasmus Melgaard On Thursday 02 February 2006 21:58, Jan Tomak wrote: > Hello! > > I've read a lot of mail archives, but can't find solutions for my > problem. I have router with about 700 users. I'm using HTB with SFQ leaf > qdiscs for every user (client ip). So, different IP can have its own rate > limit. This scheme ir working fine for a long time. But how can I limit > number of connections (sessions) from one host? I see from ip_conntrack > that some of users have more than 1000 active connections (mostly P2P udp). > As I know there is connlimit patch for iptables, but it capable to limit > only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth > more fairly, but inside one class. In my case every user have its own class > and I'm not able to control how many connections simultaneously they do > implementy ESFQ! Also I don't understand how to deal with it from iptables > side - connlimit will not help with UDP. > > What can be done in my case? > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc