On Tuesday 2013-01-08 03:13, Darius Jahandarie wrote: >On Sun, Dec 9, 2012 at 5:41 PM, Jan Engelhardt <jengelh@xxxxxxx> wrote: >> On Sunday 2012-12-09 21:05, Darius Jahandarie wrote: >> >>>Hi all. I currently have an iptables rule like follows in the raw table: >>> >>>-A PREROUTING -p tcp --dport 1234 --syn -m limit --limit 10000/sec >>>--limit-burst 10000 -j ACCEPT >>>-A PREROUTING -p tcp --syn -j DROP >>> >>>Does anyone have thoughts on a way to get some sort of rate-limiting >>>(TBF or otherwise) that can handle more PPS than the limit module >>>while still being as efficient as possible? >> >> -j RATEEST, -m rateest > >Thanks for the tip Jan -- but I've failed in my attempts to use this >target/module combo. I'm not entirely sure what my rules should be to >do something similar to the limit rule I posted. -m $all_that_which_is_to_be_counted \ -j RATEEST --rateest-name foo --rateest-name bac --rateest-interval 1ms \ --rateest-ewmalog 2ms -m $all_that -m rateest --rateest-name foo \ --rateest1 foo --rateest-gt --rateest-pps1 1000 This at least passes the syntax checks and should match 1000 hits per second - in some fashion. Trying to figure out what values to pick for --rateest-interval and --rateest-ewmalog without running into "invalid values" is the actual trick, because none of it is documented. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
