Hello, list members,
can i limit pps rate with linux? How?
-m limit does not fit, as i understood: it can help with low rates only
(is that true? any suggestions?)
Thank you,
--
_,-=._ /|_/|
`-.} `=._,.-=-._., @ @._,
`._ _,-. ) _,.-''
` G.m-"^m`m'' Dmytro O. Redchuk
Dnia środa, 30 sierpnia 2006 16:07, Dmytro O. Redchuk napisał(a):> Hello, list members, > > can i limit pps rate with linux? How? > > -m limit does not fit, as i understood: it can help with low rates only > (is that true? any suggestions?)Maybe hashlimit? What do you exactly need to do? Here''s what I use to rate pps for every host in network. In fact this is on 2.4 kernel with dstlimit (with some changes in source), but hashlimit works in the same way. $IPT -t mangle -I FORWARD -i eth1 -j LIMITPAK $IPT -t mangle -A LIMITPAK -i eth1 -s 192.168.0.0/24 -m dstlimit --dstlimit 75 --dstlimit-burst 200 --dstlimit-mode srcip --dstlimit-name eth1_0.0 -j RETURN $IPT -t mangle -A LIMITPAK -i eth1 -s 192.168.0.0/24 -j DROP $IPT -t mangle -A LIMITPAK -j RETURN -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | jabber,email,www: vegeta()tuxpowered net | | Vegeta | IMQ devnames: http://www.tuxpowered.net | `------------------------^------------------------------------------''
On Wed, Aug 30, 2006 at 05:22:27PM +0200, Kajetan Staszkiewicz wrote:> Dnia ?roda, 30 sierpnia 2006 16:07, Dmytro O. Redchuk napisa?(a): > > Hello, list members, > > > > can i limit pps rate with linux? How? > > > > -m limit does not fit, as i understood: it can help with low rates only > > (is that true? any suggestions?) > > Maybe hashlimit?May be. I should try. Thanks.> What do you exactly need to do?Limit a host''s traffic to, let''s say, 8.5kpps, drop any "exceeded" packet. I guess, dstlimit will not help me too :-( Limiting such a rates on firewalls seems to be too expensive and i don''t mention a firewall (iptables) as a tool for doing that. No, surely, i am asking for help :-) Is there any tools, which can handle and limit such pps rates? -m limit, if i can remember, accepts limits up to 10k, but it seems to be *terribly* wrong on limiting that... I wish i would be incorrect...> $IPT -t mangle -I FORWARD -i eth1 -j LIMITPAK[...] Thanks, anyway.> -- > | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | > | Kajetan Staszkiewicz | jabber,email,www: vegeta()tuxpowered net | > | Vegeta | IMQ devnames: http://www.tuxpowered.net | > `------------------------^------------------------------------------'' > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc-- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-'' ` G.m-"^m`m'' Dmytro O. Redchuk
Dmytro O. Redchuk wrote:> Hello, list members, > > can i limit pps rate with linux? How? > > -m limit does not fit, as i understood: it can help with low rates only > (is that true? any suggestions?)This is probably better achieved at the switch level. If this is for stopping viruses and DoS-attacks, then it''s better to stop the traffic as close to the source as possible. -- Roy-Magne Mo
On Thu, Aug 31, 2006 at 12:35:32PM +0200, Roy-Magne Mo wrote:> Dmytro O. Redchuk wrote: > >Hello, list members, > > > > can i limit pps rate with linux? How? > > > > -m limit does not fit, as i understood: it can help with low rates only > > (is that true? any suggestions?) > > This is probably better achieved at the switch level. If this is for > stopping viruses and DoS-attacks, then it''s better to stop the traffic > as close to the source as possible.Mmm, probably i mentioned linux box acting as a bridge [too]. And, probably, not to stop, but to "prevent", by setting up some policy for pps rates. Probably, it''s possible to set up some policing on Cisco Catalyst switch, but if linux would have some tools to do "the same", it would be better, as for me. And i don''t like "police [rate-bps] ..." here, i like htb in the same situation :-) I need a kind of "police [rate-*pps*] ...", and, preferably, for linux. :-( It''s like it''s not possible, so i should review my considerations probably. Thank you.> > -- > Roy-Magne Mo-- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-'' ` G.m-"^m`m'' Dmytro O. Redchuk