summaryrefslogtreecommitdiffstats
path: root/extensions/libxt_hashlimit.man
Commit message (Collapse)AuthorAgeFilesLines
* doc: Fix spelling error in hashlimit sectionMajor Hayden2018-06-261-1/+1
| | | | | Signed-off-by: Major Hayden <major@mhtx.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netfilter: xt_hashlimit: add rate match modeVishwanath Pai2017-09-081-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a new feature to hashlimit that allows matching on the current packet/byte rate without rate limiting. This can be enabled with a new flag --hashlimit-rate-match. The match returns true if the current rate of packets is above/below the user specified value. The main difference between the existing algorithm and the new one is that the existing algorithm rate-limits the flow whereas the new algorithm does not. Instead it *classifies* the flow based on whether it is above or below a certain rate. I will demonstrate this with an example below. Let us assume this rule: iptables -A INPUT -m hashlimit --hashlimit-above 10/s -j new_chain If the packet rate is 15/s, the existing algorithm would ACCEPT 10 packets every second and send 5 packets to "new_chain". But with the new algorithm, as long as the rate of 15/s is sustained, all packets will continue to match and every packet is sent to new_chain. This new functionality will let us classify different flows based on their current rate, so that further decisions can be made on them based on what the current rate is. This is how the new algorithm works: We divide time into intervals of 1 (sec/min/hour) as specified by the user. We keep track of the number of packets/bytes processed in the current interval. After each interval we reset the counter to 0. When we receive a packet for match, we look at the packet rate during the current interval and the previous interval to make a decision: if [ prev_rate < user and cur_rate < user ] return Below else return Above Where cur_rate is the number of packets/bytes seen in the current interval, prev is the number of packets/bytes seen in the previous interval and 'user' is the rate specified by the user. We also provide flexibility to the user for choosing the time interval using the option --hashilmit-interval. For example the user can keep a low rate like x/hour but still keep the interval as small as 1 second. To preserve backwards compatibility we have to add this feature in a new revision, so I've created revision 3 for hashlimit. The two new options we add are: --hashlimit-rate-match --hashlimit-rate-interval I have updated the help text to add these new options. Also added a few tests for the new options. Suggested-by: Igor Lubashev <ilubashe@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: libxt_hashlimit.man: correct addressLaurence J. Lane2013-08-221-1/+1
| | | | | | | | | Corrects an example address with subnet mask. http://bugs.debian.org/698393 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_hashlimit: add support for byte-based operationFlorian Westphal2012-07-141-4/+15
| | | | | | | | | | | | | | allows --hashlimit-(upto|above) Xb/s [ --hashlimit-burst Yb ] to make hashlimit match when X bytes/second are exceeded; optionally, Y bytes will not be matched (i.e. bursted). [ Pablo fixed minor compilation warning in this patch with gcc-4.6 and x86_64 ] libxt_hashlimit.c: In function ‘parse_bytes’: libxt_hashlimit.c:216:6: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘uint64_t’ [-Wformat] Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add some coded option examples to libxt_hashlimitJan Engelhardt2011-05-221-10/+16
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: consistent use of markupJan Engelhardt2010-07-231-6/+6
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: xt_hashlimit: fix a typoJan Engelhardt2010-06-041-1/+1
| | | | | References: http://bugzilla.netfilter.org/show_bug.cgi?id=646 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: escape minus sign in manpagesJan Engelhardt2009-01-121-18/+18
| | | | | | | groff formats '-' as a hyphen, and '\-' is needed for a minus. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpage updatesJan Engelhardt2008-06-081-1/+1
| | | | | | | | | A number of options support negation, but the manpage did not reflect this ("[!]" was absent). Also fix a few [] (optional arguments) to {} (required arguments) in the option-BNF. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpages: grammar and spellingJan Engelhardt2008-04-131-2/+2
|
* Add support for xt_hashlimit match revision 1Jan Engelhardt2008-04-131-31/+55
|
* Move libipt_hashlimit.man to libxt_hashlimit.man for ip6tables.8Yasuyuki KOZAKAI2007-11-291-0/+35