LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-22-2018, 05:48 AM   #1
nejnej25
Member
 
Registered: Dec 2017
Location: Asia
Distribution: Slackware 14.2,CentOS 7, Ubuntu, Debian
Posts: 116

Rep: Reputation: Disabled
IPTables limit module


Hi, Im confused about the limit module. Please take a look down quoted on netfilter.org

Quote:
limit
This module must be explicitly specified with `-m limit' or `--match limit'. It is used to restrict the rate of matches, such as for suppressing log messages. It will only match a given number of times per second (by default 3 matches per hour, with a burst of 5). It takes two optional arguments:

--limit
followed by a number; specifies the maximum average number of matches to allow per second. The number can specify units explicitly, using `/second', `/minute', `/hour' or `/day', or parts of them (so `5/second' is the same as `5/s').

--limit-burst
followed by a number, indicating the maximum burst before the above limit kicks in.

This match can often be used with the LOG target to do rate-limited logging. To understand how it works, let's look at the following rule, which logs packets with the default limit parameters:

# iptables -A FORWARD -m limit -j LOG
The first time this rule is reached, the packet will be logged; in fact, since the default burst is 5, the first five packets will be logged. After this, it will be twenty minutes before a packet will be logged from this rule, regardless of how many packets reach it. Also, every twenty minutes which passes without matching a packet, one of the burst will be regained; if no packets hit the rule for 100 minutes, the burst will be fully recharged; back where we started.

Note: you cannot currently create a rule with a recharge time greater than about 59 hours, so if you set an average rate of one per day, then your burst rate must be less than 3.
So the example here is no paremeter given in limit so it will take the default right? --limit 3/hour and --limit-burst 5 and it will refresh 1 per 20 minutes if no packets hits the rule.

Now on the below statement it said that only 5 connection will be log so it means its the limit-burst. Why is it not 8? Because the limit is 3? Is it mean that the number on limit is useless? Please enlighten me also refer this question on the statement below the command. Thanks!

Also how does the credit refresh time calculated?

Last edited by nejnej25; 02-22-2018 at 06:32 AM.
 
Old 02-22-2018, 09:20 AM   #2
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,770

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
Think of it as a bucket of tokens. The limit-burst is the size of the bucket, in this case 5 tokens. The "--limit 3/hour" is the rate at which new tokens get added to the bucket as long as it is not full. Each successful match removes one token from the bucket.
 
Old 02-22-2018, 07:02 PM   #3
nejnej25
Member
 
Registered: Dec 2017
Location: Asia
Distribution: Slackware 14.2,CentOS 7, Ubuntu, Debian
Posts: 116

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by rknichols View Post
Think of it as a bucket of tokens. The limit-burst is the size of the bucket, in this case 5 tokens. The "--limit 3/hour" is the rate at which new tokens get added to the bucket as long as it is not full. Each successful match removes one token from the bucket.
So meaning if you get a match of 4 in an hour there will be 1 token left right? But if you get a match of 5 in an hour the bucket will be empty (no tokens left) and no packet will match that rule until tokens will refresh right? Then how can I calculate the amount of time for every token to refresh?
 
Old 02-22-2018, 08:12 PM   #4
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,770

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
Since you don't know when those 3/hour ticks are coming along, you can't know it exactly. The feature isn't intended for precise measurements. I looked around for some way to see the current state of that bucket, but couldn't find anything.
 
Old 02-23-2018, 01:50 AM   #5
nejnej25
Member
 
Registered: Dec 2017
Location: Asia
Distribution: Slackware 14.2,CentOS 7, Ubuntu, Debian
Posts: 116

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by rknichols View Post
Since you don't know when those 3/hour ticks are coming along, you can't know it exactly. The feature isn't intended for precise measurements. I looked around for some way to see the current state of that bucket, but couldn't find anything.
Okay, thanks. For final thought the limit-burst is the hard limit. If number of packet that match reach the limit burst within hour/sec/min it will not accept anymore until the tokens will regenerate. That is my final thought. I'm getting it right and clear?
 
Old 02-23-2018, 08:52 AM   #6
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,770

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
Yes. Of course the bucket does not have fill completely, just be non-empty. For the given example (3/hour), a new token will arrive every 20 minutes. As soon as that occurs, another packet could satisfy the match, which would again empty the bucket. In 20 more minutes, another token will be added to the bucket. The bucket can never hold more than 5 tokens (--limit-burst 5).
 
1 members found this post helpful.
Old 02-24-2018, 12:56 AM   #7
nejnej25
Member
 
Registered: Dec 2017
Location: Asia
Distribution: Slackware 14.2,CentOS 7, Ubuntu, Debian
Posts: 116

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by rknichols View Post
Yes. Of course the bucket does not have fill completely, just be non-empty. For the given example (3/hour), a new token will arrive every 20 minutes. As soon as that occurs, another packet could satisfy the match, which would again empty the bucket. In 20 more minutes, another token will be added to the bucket. The bucket can never hold more than 5 tokens (--limit-burst 5).
Yeah!Now I clearly got it. Thanks to you Btw, what if the limit is higher than limit burst? For example, limit 50/sec limit-burst 20 what would happen?

Last edited by nejnej25; 02-24-2018 at 01:08 AM.
 
Old 02-24-2018, 10:35 AM   #8
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,770

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
Quote:
Originally Posted by nejnej25 View Post
Yeah!Now I clearly got it. Thanks to you Btw, what if the limit is higher than limit burst? For example, limit 50/sec limit-burst 20 what would happen?
In theory you could match 20 packets in the first millisecond and thereafter be limited to one packet every 20 milliseconds (1/50 second), but I don't know how that mechanism is actually implemented. Somehow I doubt that something gets scheduled every 20 milliseconds to refill the bucket asynchronously. Implementation details matter when you start pushing to extremes, and that's getting beyond what I know or care about just now.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
PAM module to limit su - lnxnub Linux - Security 8 09-23-2011 03:13 PM
Apache vhost limit module mohitanchlia Linux - General 0 06-26-2009 03:55 PM
Iptables limit mosharaf_linux Linux - Server 1 11-23-2008 02:23 AM
Limit of the loop module dawharl Linux - General 4 09-21-2004 09:27 AM
how to use limit in iptables lingg2002 Linux - Networking 3 12-29-2003 10:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration