Re: nftables rate limiting per multiple seconds

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Kerin,
Thanks again .

I have changed it for two reasons , because of the errors
nft add set ip filter myrate  "{ type ipv4_addr . inet_service; flags
timeout ; }"
nft add rule ip filter INPUT tcp dport 8000 ct state new update
@myrate { ip saddr . th dport timeout 10s  limit rate over 1/day burst
15 packets } counter drop
Error: Could not process rule: Invalid argument
add rule ip filter INPUT tcp dport 8000 ct state new update @myrate {
ip saddr . th dport timeout 10s limit rate over 1/day burst 15 packets
} counter drop

After the above error I have changed it to below , In one use case -
the below never resets , Say If I send only one message per second all
the time , the below rule will stop at 10th second and the next
message will be accepted only after 10 seconds. This is not correct
when we are sending one 1 message per second it has to accept it ,
because we are not sending all the 15 messages in one second.

table ip filter {
    set ratelimit {
         type ipv4_addr
         flags dynamic
         timeout 10s
    }
chain INPUT {
        type filter hook input priority filter; policy accept;
        tcp dport 8000 ct state new update @ratelimit { ip saddr limit
rate over 1/day burst 15 packets} drop
}

Thanks
Sreedhar


On Fri, Mar 8, 2024 at 2:04 AM Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:
>
> On Thu, 7 Mar 2024, at 5:10 PM, Sreedhar M wrote:
> > Thanks Kerin for the Info.
> >
> > The workaround is not fulfilling . The use case for me is multiple
> > seconds combination.
> > I Wanted to keep new connections, at given every 10 seconds period I
> > don't won't to allow more than 15 connections
> >
> > Let me explain , as I Wanted to accept new connections, at given every
> > 10 seconds period I don't won't to allow more than 15 connections .
> >
> > With the below rule, ex: say on a src client  If I run 15 connections
> > in one second because of 15 packets burst the rule will accept, from
> > 2nd second onwards it accepts 1 each second until it reaches 10
>
> You have to set the interval long enough for the bucket refill rate to be immaterial (1/day is the longest possible interval). The example had it as 1/hour; I do not know why you reduced it to 1/second.
>
> --
> Kerin Millar



-- 
Best Regards
Sreedhar





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux