Tuesday, 27 August 2013

Limiting bandwidth with hashlimit (e.g. kb/s -- not connections!) doesn't work, though the man page says it should

Limiting bandwidth with hashlimit (e.g. kb/s -- not connections!) doesn't
work, though the man page says it should

According to the iptables-extensions man page hashlimit can do bandwidth
limiting:
"flows exceeding 512kbyte/s" =>
--hashlimit-mode srcip,dstip,srcport,dstport --hashlimit-above 512kb/s
However, when I try to specify a rule like that, 1) it doesn't limit my
bandwidth as I expect, 2) when I dump the rules with iptables-save, I get
the same entries no matter what I put after the number (kb/s, b/s, /sec,
something silly, or nothing at all):
# iptables -t filter -A it2net -s 10.5.2.43/32 -m hashlimit
--hashlimit-upto 8kb/s --hashlimit-mode dstip --hashlimit-name test
--hashlimit-htable-expire 3600000 -j ACCEPT
# iptables -t filter -A it2net -s 10.5.2.44/32 -m hashlimit
--hashlimit-upto 8b/s --hashlimit-mode dstip --hashlimit-name test
--hashlimit-htable-expire 3600000 -j ACCEPT
# iptables -t filter -A it2net -s 10.5.2.45/32 -m hashlimit
--hashlimit-upto 8 --hashlimit-mode dstip --hashlimit-name test
--hashlimit-htable-expire 3600000 -j ACCEPT
# iptables -t filter -A it2net -s 10.5.2.46/32 -m hashlimit
--hashlimit-upto 8000 --hashlimit-mode dstip --hashlimit-name test
--hashlimit-htable-expire 3600000 -j ACCEPT
# iptables -t filter -A it2net -s 10.5.2.47/32 -m hashlimit
--hashlimit-upto 8000b --hashlimit-mode dstip --hashlimit-name test
--hashlimit-htable-expire 3600000 -j ACCEPT
# iptables -t filter -A it2net -s 10.5.2.48/32 -m hashlimit
--hashlimit-upto 8000xb --hashlimit-mode dstip --hashlimit-name test
--hashlimit-htable-expire 3600000 -j ACCEPT
# iptables -t filter -A it2net -s 10.5.2.49/32 -m hashlimit
--hashlimit-upto 8000kb --hashlimit-mode dstip --hashlimit-name test
--hashlimit-htable-expire 3600000 -j ACCEPT
And the relevant parts of the dump:
-A it2net -s 10.5.2.43/32 -m hashlimit --hashlimit-upto 8/sec
--hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name test
--hashlimit-htable-expire 3600000 -j ACCEPT
-A it2net -s 10.5.2.44/32 -m hashlimit --hashlimit-upto 8/sec
--hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name test
--hashlimit-htable-expire 3600000 -j ACCEPT
-A it2net -s 10.5.2.45/32 -m hashlimit --hashlimit-upto 8/sec
--hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name test
--hashlimit-htable-expire 3600000 -j ACCEPT
-A it2net -s 10.5.2.46/32 -m hashlimit --hashlimit-upto 10000/sec
--hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name test
--hashlimit-htable-expire 3600000 -j ACCEPT
-A it2net -s 10.5.2.47/32 -m hashlimit --hashlimit-upto 10000/sec
--hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name test
--hashlimit-htable-expire 3600000 -j ACCEPT
-A it2net -s 10.5.2.48/32 -m hashlimit --hashlimit-upto 10000/sec
--hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name test
--hashlimit-htable-expire 3600000 -j ACCEPT
-A it2net -s 10.5.2.49/32 -m hashlimit --hashlimit-upto 10000/sec
--hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name test
--hashlimit-htable-expire 3600000 -j ACCEPT
(let's not worry about why 8000 is rounded up to 10000 ... or, should we?)
Any ideas what I'm missing? I would need to limit the bandwidth use of
about 100 constantly changing users individually, so each would have only
a very low limit to allow basic services (especially stupid mobile apps
that can't use proxy authentication), but require signing in for
everything else.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)