> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of woger151 > Sent: Friday, November 03, 2006 7:20 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: hashlimit bucket > > Can one have multiple iptables rules with hashlimit > statements, with the > same --hashlimit-name? Yes. > And would that means there's actually > just one bucket > for all those rules? Not one bucket but one hash table. You probably already know this but a hash table is simple an array with a 'function' to map a value to an index in the array. Each cell in the array is a 'bucket' in hash terminology. When there are more than one value which map to the same 'bucket', a 'chain' is created. Ideally with the correct hash function, the chains are small as the function is random enough. I haven't looked at the hashlimit code but I imagine the hash function is based on the tuple specified: dstip, dstport, etc. > Can one have multiple hashlimit rules, > period? I'm not sure what you mean by this ... would you please elaborate? > What > about different chains feeding into one chain with a > hashlimit statement? Is > that OK? Recall that hashlimit stores all hash tables in /proc/net/ipt_hashlimit A file is created per --hashlimit-name With that in mind, any iptables rule can manipulate a given --hashlimit-name. If you don't specify a --hashlimit-name, DEFAULT will be used. I hope that helps. Cheers,
