1*a71a9546SAutomerger Merge Worker\fBhashlimit\fP uses hash buckets to express a rate limiting match (like the 2*a71a9546SAutomerger Merge Worker\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables 3*a71a9546SAutomerger Merge Workerrule. Grouping can be done per-hostgroup (source and/or destination address) 4*a71a9546SAutomerger Merge Workerand/or per-port. It gives you the ability to express "\fIN\fP packets per time 5*a71a9546SAutomerger Merge Workerquantum per group" or "\fIN\fP bytes per seconds" (see below for some examples). 6*a71a9546SAutomerger Merge Worker.PP 7*a71a9546SAutomerger Merge WorkerA hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and 8*a71a9546SAutomerger Merge Worker\fB\-\-hashlimit\-name\fP are required. 9*a71a9546SAutomerger Merge Worker.TP 10*a71a9546SAutomerger Merge Worker\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] 11*a71a9546SAutomerger Merge WorkerMatch if the rate is below or equal to \fIamount\fP/quantum. It is specified either as 12*a71a9546SAutomerger Merge Workera number, with an optional time quantum suffix (the default is 3/hour), or as 13*a71a9546SAutomerger Merge Worker\fIamount\fPb/second (number of bytes per second). 14*a71a9546SAutomerger Merge Worker.TP 15*a71a9546SAutomerger Merge Worker\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] 16*a71a9546SAutomerger Merge WorkerMatch if the rate is above \fIamount\fP/quantum. 17*a71a9546SAutomerger Merge Worker.TP 18*a71a9546SAutomerger Merge Worker\fB\-\-hashlimit\-burst\fP \fIamount\fP 19*a71a9546SAutomerger Merge WorkerMaximum initial number of packets to match: this number gets recharged by one 20*a71a9546SAutomerger Merge Workerevery time the limit specified above is not reached, up to this number; the 21*a71a9546SAutomerger Merge Workerdefault is 5. When byte-based rate matching is requested, this option specifies 22*a71a9546SAutomerger Merge Workerthe amount of bytes that can exceed the given rate. This option should be used 23*a71a9546SAutomerger Merge Workerwith caution -- if the entry expires, the burst value is reset too. 24*a71a9546SAutomerger Merge Worker.TP 25*a71a9546SAutomerger Merge Worker\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP... 26*a71a9546SAutomerger Merge WorkerA comma-separated list of objects to take into consideration. If no 27*a71a9546SAutomerger Merge Worker\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the 28*a71a9546SAutomerger Merge Workerexpensive of doing the hash housekeeping. 29*a71a9546SAutomerger Merge Worker.TP 30*a71a9546SAutomerger Merge Worker\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP 31*a71a9546SAutomerger Merge WorkerWhen \-\-hashlimit\-mode srcip is used, all source addresses encountered will be 32*a71a9546SAutomerger Merge Workergrouped according to the given prefix length and the so-created subnet will be 33*a71a9546SAutomerger Merge Workersubject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note 34*a71a9546SAutomerger Merge Workerthat \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying 35*a71a9546SAutomerger Merge Workersrcip for \-\-hashlimit\-mode, but is technically more expensive. 36*a71a9546SAutomerger Merge Worker.TP 37*a71a9546SAutomerger Merge Worker\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP 38*a71a9546SAutomerger Merge WorkerLike \-\-hashlimit\-srcmask, but for destination addresses. 39*a71a9546SAutomerger Merge Worker.TP 40*a71a9546SAutomerger Merge Worker\fB\-\-hashlimit\-name\fP \fIfoo\fP 41*a71a9546SAutomerger Merge WorkerThe name for the /proc/net/ipt_hashlimit/foo entry. 42*a71a9546SAutomerger Merge Worker.TP 43*a71a9546SAutomerger Merge Worker\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP 44*a71a9546SAutomerger Merge WorkerThe number of buckets of the hash table 45*a71a9546SAutomerger Merge Worker.TP 46*a71a9546SAutomerger Merge Worker\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP 47*a71a9546SAutomerger Merge WorkerMaximum entries in the hash. 48*a71a9546SAutomerger Merge Worker.TP 49*a71a9546SAutomerger Merge Worker\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP 50*a71a9546SAutomerger Merge WorkerAfter how many milliseconds do hash entries expire. 51*a71a9546SAutomerger Merge Worker.TP 52*a71a9546SAutomerger Merge Worker\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP 53*a71a9546SAutomerger Merge WorkerHow many milliseconds between garbage collection intervals. 54*a71a9546SAutomerger Merge Worker.TP 55*a71a9546SAutomerger Merge Worker\fB\-\-hashlimit\-rate\-match\fP 56*a71a9546SAutomerger Merge WorkerClassify the flow instead of rate-limiting it. This acts like a 57*a71a9546SAutomerger Merge Workertrue/false match on whether the rate is above/below a certain number 58*a71a9546SAutomerger Merge Worker.TP 59*a71a9546SAutomerger Merge Worker\fB\-\-hashlimit\-rate\-interval\fP \fIsec\fP 60*a71a9546SAutomerger Merge WorkerCan be used with \-\-hashlimit\-rate\-match to specify the interval 61*a71a9546SAutomerger Merge Workerat which the rate should be sampled 62*a71a9546SAutomerger Merge Worker.PP 63*a71a9546SAutomerger Merge WorkerExamples: 64*a71a9546SAutomerger Merge Worker.TP 65*a71a9546SAutomerger Merge Workermatching on source host 66*a71a9546SAutomerger Merge Worker"1000 packets per second for every host in 192.168.0.0/16" => 67*a71a9546SAutomerger Merge Worker\-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec 68*a71a9546SAutomerger Merge Worker.TP 69*a71a9546SAutomerger Merge Workermatching on source port 70*a71a9546SAutomerger Merge Worker"100 packets per second for every service of 192.168.1.1" => 71*a71a9546SAutomerger Merge Worker\-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec 72*a71a9546SAutomerger Merge Worker.TP 73*a71a9546SAutomerger Merge Workermatching on subnet 74*a71a9546SAutomerger Merge Worker"10000 packets per minute for every /28 subnet (groups of 8 addresses) 75*a71a9546SAutomerger Merge Workerin 10.0.0.0/8" => 76*a71a9546SAutomerger Merge Worker\-s 10.0.0.0/8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min 77*a71a9546SAutomerger Merge Worker.TP 78*a71a9546SAutomerger Merge Workermatching bytes per second 79*a71a9546SAutomerger Merge Worker"flows exceeding 512kbyte/s" => 80*a71a9546SAutomerger Merge Worker\-\-hashlimit-mode srcip,dstip,srcport,dstport \-\-hashlimit\-above 512kb/s 81*a71a9546SAutomerger Merge Worker.TP 82*a71a9546SAutomerger Merge Workermatching bytes per second 83*a71a9546SAutomerger Merge Worker"hosts that exceed 512kbyte/s, but permit up to 1Megabytes without matching" 84*a71a9546SAutomerger Merge Worker\-\-hashlimit-mode dstip \-\-hashlimit\-above 512kb/s \-\-hashlimit-burst 1mb 85