14
14
"10000 packets per minute for every /28 subnet in 10.0.0.0/8"
16
A hash limit option (\fB--hashlimit-upto\fR, \fB--hashlimit-above\fR) and
17
\fB--hashlimit-name\fR are required.
16
A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and
17
\fB\-\-hashlimit\-name\fP are required.
19
\fB--hashlimit-upto\fR \fIamount\fR[\fB/second\fR|\fB/minute\fR|\fB/hour\fR|\fB/day\fR]
19
\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
20
20
Match if the rate is below or equal to \fIamount\fR/quantum. It is specified as
21
21
a number, with an optional time quantum suffix; the default is 3/hour.
23
\fB--hashlimit-above\fR \fIamount\fR[\fB/second\fR|\fB/minute\fR|\fB/hour\fR|\fB/day\fR]
23
\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
24
24
Match if the rate is above \fIamount\fR/quantum.
26
\fB--hashlimit-burst\fR \fIamount\fR
26
\fB\-\-hashlimit\-burst\fP \fIamount\fP
27
27
Maximum initial number of packets to match: this number gets recharged by one
28
28
every time the limit specified above is not reached, up to this number; the
31
\fB--hashlimit-mode\fR {\fBsrcip\fR|\fBsrcport\fR|\fBdstip\fR|\fBdstport\fR}\fB,\fP...
31
\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP...
32
32
A comma-separated list of objects to take into consideration. If no
33
--hashlimit-mode option is given, hashlimit acts like limit, but at the
33
\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the
34
34
expensive of doing the hash housekeeping.
36
\fB--hashlimit-srcmask\fR \fIprefix\fR
37
When --hashlimit-mode srcip is used, all source addresses encountered will be
36
\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP
37
When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be
38
38
grouped according to the given prefix length and the so-created subnet will be
39
39
subject to hashlimit. \fIprefix\fR must be between (inclusive) 0 and 32. Note
40
that --hashlimit-srcmask 0 is basically doing the same thing as not specifying
41
srcip for --hashlimit-mode, but is technically more expensive.
43
\fB--hashlimit-dstmask\fR \fIprefix\fR
44
Like --hashlimit-srcmask, but for destination addresses.
46
\fB--hashlimit-name\fR \fIfoo\fR
40
that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying
41
srcip for \-\-hashlimit\-mode, but is technically more expensive.
43
\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP
44
Like \-\-hashlimit\-srcmask, but for destination addresses.
46
\fB\-\-hashlimit\-name\fP \fIfoo\fP
47
47
The name for the /proc/net/ipt_hashlimit/foo entry.
49
\fB--hashlimit-htable-size\fR \fIbuckets\fR
49
\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP
50
50
The number of buckets of the hash table
52
\fB--hashlimit-htable-max\fR \fIentries\fR
52
\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP
53
53
Maximum entries in the hash.
55
\fB--hashlimit-htable-expire\fR \fImsec\fR
55
\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP
56
56
After how many milliseconds do hash entries expire.
58
\fB--hashlimit-htable-gcinterval\fR \fImsec\fR
58
\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP
59
59
How many milliseconds between garbage collection intervals.