Hi, I've been trying to setup hashlimit on a linux (as a l3 gateway) to limit the pps per each IP, i have two questions: 1) for performance reason I have marked all traffic forwared by the box to NOTRACK in raw table, would that affect hashlimit in anyway? 2) (there's only about 200 ips total) I found out when I use this iptables -A FORWARD -m hashlimit --hashlimit-name limit1 \ --hashlimit-htable-size 4096 --hashlimit-htable-expire 60000 \ --hashlimit-srcmask 32 --hashlimit-mode srcip \ --hashlimit-upto 100/sec \ -j ACCEPT it still drops quite a few packets even thought the rate is well under 100/sec, then I found out if I add --hashlimit-burst 100 , no packets will be dropped anymore (it appears to be working correctly), the doucment is very vague on this burst param, how much should I set it to if I just want to limit packet at 100/sec ? also does -hashlimit-htable-expire affect the rate limiting? Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
