Retesh wrote: > Hi All > I am having a scenario where the iptables hashlimit feature is not > working as expected. Following is the list of IP rules > > INPUT (policy ACCEPT 1342 packets, 488K bytes) > 1840 755K TEST all -- any any anywhere anywhere > > TEST (1 references) > 0 0 CHAIN2 all -- any any anywhere > anywhere set SET2 dst > 1840 755K CHAIN1 all -- any any anywhere > anywhere set SET1 dst > > CHAIN1 (1 references) > 919 375K ACCEPT all -- any any anywhere > anywhere limit: avg 200/sec burst 10 mode dstip > 921 380K LOG all -- any any anywhere > anywhere LOG level warning prefix `_SET1' > > CHAIN2 (1 references) > 0 0 ACCEPT all -- any any anywhere > anywhere limit: avg 50/sec burst 10 mode dstip > 0 0 LOG all -- any any anywhere > anywhere LOG level warning prefix `_SET2' > > Here, SET1 and SET2 are iphash > > Now after applying the above rules, irrespective of which set (SET1 or > SET2), I send the packets from I find that the limit that is used is > 50/s, even though there are different chains for different sets. That > is packets from SET1 match CHAIN1 but the hashlimit value thats used > is 50/s. > So effectively the hashlimit that is set for all the chains is the one > in the chain that occurs first. > > Am I doing something wrong here, or is this a limitation with hashlimit? This is a know problem, the limit is a property of the hashlimit table, not the individual rules. You have to use seperate --hashlimit-name parameters.
