Re: limit number of connections per ip

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



So Rasmus,

If I put a limit into TCP connections it will reflect into UDP conections
over the same source IP?

How can I make a limit into TCP connections?

Att,

Nataniel Klug

----- Original Message ----- 
From: "Rasmus Melgaard" <rme@xxxxxxxx>
To: <lartc@xxxxxxxxxxxxxxx>
Sent: Thursday, February 02, 2006 7:17 PM
Subject: Re:  limit number of connections per ip


> Well, only TCP has connections, UDP has non it is only a stream of
packets.
>
> So for each user (IP) you could make a class for TCP and one for UDP.
>
>                     IP
>   /    \
>     TCP UDP
>
> The TCP class you already know how to limit, the UDP class I would limit
with
> pfifo with a suitable packet limit setting (in pratice this would lead to
det
> same effect as the TCP conn. limiting). Although not a hard limit.
>
> Extra:
> I would make a seperate high prio class for ICMP to communicate error,
> connection failures back and forth.
>
> NB! P2P normally used TCP (I know the bittorent does)
>
> BR
> Rasmus Melgaard
>
>
>
> On Thursday 02 February 2006 21:58, Jan Tomak wrote:
> >   Hello!
> >
> >   I've read a lot of mail archives, but can't find solutions for my
> > problem. I have router with about 700 users. I'm using HTB with SFQ leaf
> > qdiscs for every user (client ip). So, different IP can have its own
rate
> > limit. This scheme ir working fine for a long time. But how can I limit
> > number of connections (sessions) from one host? I see from ip_conntrack
> > that some of users have more than 1000 active connections (mostly P2P
udp).
> > As I know there is connlimit patch for iptables, but it capable to limit
> > only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth
> > more fairly, but inside one class. In my case every user have its own
class
> > and I'm not able to control how many connections simultaneously they do
> > implementy ESFQ! Also I don't understand how to deal with it from
iptables
> > side - connlimit will not help with UDP.
> >
> >   What can be done in my case?
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux