you should look into hashlimit module, which allows you to limit base on srcip, dst ip (or some combination of sort). which should provide much better granularity for you. On Sun, Dec 9, 2012 at 2:41 PM, Jan Engelhardt <jengelh@xxxxxxx> wrote: > On Sunday 2012-12-09 21:05, Darius Jahandarie wrote: > >>Hi all. I currently have an iptables rule like follows in the raw table: >> >>-A PREROUTING -p tcp --dport 1234 --syn -m limit --limit 10000/sec >>--limit-burst 10000 -j ACCEPT >>-A PREROUTING -p tcp --syn -j DROP >> >>Does anyone have thoughts on a way to get some sort of rate-limiting >>(TBF or otherwise) that can handle more PPS than the limit module >>while still being as efficient as possible? > > -j RATEEST, -m rateest > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
