On Sun, Dec 9, 2012 at 5:41 PM, Jan Engelhardt <jengelh@xxxxxxx> wrote: > On Sunday 2012-12-09 21:05, Darius Jahandarie wrote: > >>Hi all. I currently have an iptables rule like follows in the raw table: >> >>-A PREROUTING -p tcp --dport 1234 --syn -m limit --limit 10000/sec >>--limit-burst 10000 -j ACCEPT >>-A PREROUTING -p tcp --syn -j DROP >> >>Does anyone have thoughts on a way to get some sort of rate-limiting >>(TBF or otherwise) that can handle more PPS than the limit module >>while still being as efficient as possible? > > -j RATEEST, -m rateest Thanks for the tip Jan -- but I've failed in my attempts to use this target/module combo. I'm not entirely sure what my rules should be to do something similar to the limit rule I posted. I have indeed tried to figure it out from the docs, but the examples there are hard for me to understand, and it doesn't provide any English for exactly how the target and the module interact with one another. -- Darius Jahandarie -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
