On Monday 2012-12-10 05:56, 叶雨飞 wrote: >you should look into hashlimit module, which allows you to limit base >on srcip, dst ip (or some combination of sort). which should provide >much better granularity for you. Read the mail. It's not about addresses, but rate. hashlimit inherits the same characteristic as xt_limit and behaves similarly funky at 10000/s. >On Sun, Dec 9, 2012 at 2:41 PM, Jan Engelhardt <jengelh@xxxxxxx> wrote: >> On Sunday 2012-12-09 21:05, Darius Jahandarie wrote: >> >>>Hi all. I currently have an iptables rule like follows in the raw table: >>> >>>-A PREROUTING -p tcp --dport 1234 --syn -m limit --limit 10000/sec >>>--limit-burst 10000 -j ACCEPT >>>-A PREROUTING -p tcp --syn -j DROP >>> >>>Does anyone have thoughts on a way to get some sort of rate-limiting >>>(TBF or otherwise) that can handle more PPS than the limit module >>>while still being as efficient as possible? >> >> -j RATEEST, -m rateest -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
