hashlimit not working as expected

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello:

I have the following rule in my iptables setup:
-A LogLimit -m hashlimit --hashlimit 1/hour --hashlimit-burst 1 --hashlimit-name loglimit --hashlimit-mode srcip -j LOG --log-level 6 --log-prefix "LogLimit:1:LOG "
My goal is to log connections to an incoming port, but restrict the logging to one entry per IP address per hour. But instead, I get log entries from the same IP address as close together as 10 seconds.
I have looked at /proc/net/ipt_hashlimit/loglimit and see contents in that file, but the contents only last for ten seconds and then the file is cleared (or the corresponding entry is removed): 

Sun Feb 14 23:40:21 EST 2010
9 65.55.158.80:0->0.0.0.0:0 21632 115200000 115200000
9 91.113.8.223:0->0.0.0.0:0 23936 115200000 115200000
Sun Feb 14 23:40:22 EST 2010
9 65.55.158.80:0->0.0.0.0:0 53760 115200000 115200000
8 91.113.8.223:0->0.0.0.0:0 56064 115200000 115200000
Sun Feb 14 23:40:23 EST 2010
8 65.55.158.80:0->0.0.0.0:0 86016 115200000 115200000
7 91.113.8.223:0->0.0.0.0:0 88320 115200000 115200000
Sun Feb 14 23:40:24 EST 2010
9 65.55.158.80:0->0.0.0.0:0 118144 115200000 115200000
6 91.113.8.223:0->0.0.0.0:0 120448 115200000 115200000
Sun Feb 14 23:40:25 EST 2010
8 65.55.158.80:0->0.0.0.0:0 150272 115200000 115200000
5 91.113.8.223:0->0.0.0.0:0 152576 115200000 115200000
Sun Feb 14 23:40:26 EST 2010
7 65.55.158.80:0->0.0.0.0:0 182400 115200000 115200000
4 91.113.8.223:0->0.0.0.0:0 184704 115200000 115200000
Sun Feb 14 23:40:27 EST 2010
6 65.55.158.80:0->0.0.0.0:0 214656 115200000 115200000
3 91.113.8.223:0->0.0.0.0:0 216960 115200000 115200000
Sun Feb 14 23:40:28 EST 2010
5 65.55.158.80:0->0.0.0.0:0 246784 115200000 115200000
2 91.113.8.223:0->0.0.0.0:0 249088 115200000 115200000
Sun Feb 14 23:40:29 EST 2010
4 65.55.158.80:0->0.0.0.0:0 278912 115200000 115200000
1 91.113.8.223:0->0.0.0.0:0 281216 115200000 115200000
Sun Feb 14 23:40:30 EST 2010
9 65.55.158.80:0->0.0.0.0:0 311040 115200000 115200000
9 91.113.8.223:0->0.0.0.0:0 313344 115200000 115200000
Sun Feb 14 23:40:31 EST 2010
9 65.55.158.80:0->0.0.0.0:0 343168 115200000 115200000
9 91.113.8.223:0->0.0.0.0:0 345472 115200000 115200000
Sun Feb 14 23:40:32 EST 2010
8 65.55.158.80:0->0.0.0.0:0 375424 115200000 115200000
8 91.113.8.223:0->0.0.0.0:0 377728 115200000 115200000
Sun Feb 14 23:40:33 EST 2010
9 65.55.158.80:0->0.0.0.0:0 408960 115200000 115200000
7 91.113.8.223:0->0.0.0.0:0 411264 115200000 115200000
Sun Feb 14 23:40:34 EST 2010
8 65.55.158.80:0->0.0.0.0:0 441088 115200000 115200000
6 91.113.8.223:0->0.0.0.0:0 443392 115200000 115200000
Sun Feb 14 23:40:35 EST 2010
7 65.55.158.80:0->0.0.0.0:0 473344 115200000 115200000
5 91.113.8.223:0->0.0.0.0:0 475648 115200000 115200000
Sun Feb 14 23:40:36 EST 2010
6 65.55.158.80:0->0.0.0.0:0 505472 115200000 115200000
4 91.113.8.223:0->0.0.0.0:0 507776 115200000 115200000
Sun Feb 14 23:40:37 EST 2010
5 65.55.158.80:0->0.0.0.0:0 537600 115200000 115200000
3 91.113.8.223:0->0.0.0.0:0 539904 115200000 115200000
Sun Feb 14 23:40:38 EST 2010
4 65.55.158.80:0->0.0.0.0:0 569728 115200000 115200000
2 91.113.8.223:0->0.0.0.0:0 572032 115200000 115200000
Sun Feb 14 23:40:39 EST 2010
3 65.55.158.80:0->0.0.0.0:0 601856 115200000 115200000
1 91.113.8.223:0->0.0.0.0:0 604160 115200000 115200000
Sun Feb 14 23:40:40 EST 2010
2 65.55.158.80:0->0.0.0.0:0 633984 115200000 115200000
0 91.113.8.223:0->0.0.0.0:0 636288 115200000 115200000
Sun Feb 14 23:40:41 EST 2010
1 65.55.158.80:0->0.0.0.0:0 666240 115200000 115200000
Sun Feb 14 23:40:42 EST 2010
0 65.55.158.80:0->0.0.0.0:0 698368 115200000 115200000
Sun Feb 14 23:40:43 EST 2010
My amateur conclusion is that the 'hashlimit' match is only doing limiting for 10 seconds -- (1) consistent with the duration I see an IP in the ipt_hashlimit directory; and (2) consistent with the fact that I have seen log entries from the same IP 11 seconds apart. 

Am I understanding this correctly? Any suggestions?

Thank you.

--
Brian Schang
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux