<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - hashlimit limit: reduction to lowest terms in the output is confusing"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1740">1740</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>hashlimit limit: reduction to lowest terms in the output is confusing
</td>
</tr>
<tr>
<th>Product</th>
<td>iptables
</td>
</tr>
<tr>
<th>Version</th>
<td>1.8.x
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>Debian GNU/Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>minor
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>iptables
</td>
</tr>
<tr>
<th>Assignee</th>
<td>netfilter-buglog@lists.netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>pedretti.fabio@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>From the man page:
--hashlimit-above amount[/second|/minute|/hour|/day]
Match if the rate is above amount/quantum.
This:
iptables -F OUTPUT
iptables -A OUTPUT -m hashlimit --hashlimit-name foo --hashlimit-above 59/m
iptables -A OUTPUT -m hashlimit --hashlimit-name foo --hashlimit-above 60/m
iptables -A OUTPUT -m hashlimit --hashlimit-name foo --hashlimit-above 61/m
iptables -A OUTPUT -m hashlimit --hashlimit-name foo --hashlimit-above 59/h
iptables -A OUTPUT -m hashlimit --hashlimit-name foo --hashlimit-above 60/h
iptables -A OUTPUT -m hashlimit --hashlimit-name foo --hashlimit-above 61/h
iptables -A OUTPUT -m hashlimit --hashlimit-name foo --hashlimit-above 23/d
iptables -A OUTPUT -m hashlimit --hashlimit-name foo --hashlimit-above 24/d
iptables -A OUTPUT -m hashlimit --hashlimit-name foo --hashlimit-above 25/d
iptables -A OUTPUT -m hashlimit --hashlimit-name foo --hashlimit-above 86399/d
iptables -A OUTPUT -m hashlimit --hashlimit-name foo --hashlimit-above 86400/d
iptables -A OUTPUT -m hashlimit --hashlimit-name foo --hashlimit-above 86401/d
iptables -L OUTPUT -v -n
gives:
Chain OUTPUT (policy ACCEPT 3566 packets, 3016K bytes)
pkts bytes target prot opt in out source destination
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: above 59/min burst 5
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: above 1/sec burst 5 htable-expire 60000
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: above 61/min burst 5
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: above 59/hour burst 5
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: above 1/min burst 5 htable-expire 3600000
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: above 61/hour burst 5
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: above 23/day burst 5
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: above 1/hour burst 5 htable-expire 86400000
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: above 25/day burst 5
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: above 86399/day burst 5
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: above 1/sec burst 5 htable-expire 86400000
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: above 86401/day burst 5
It's a bit strange to have a different output when the requested amount/quantum
can be reduced to lowest terms. This also requires showing the proper
htable-expire time and may be a bit cumbersome to read.
I would expect:
limit: above 1/sec burst 5 htable-expire 60000
would rather be shown as
limit: above 60/min burst 5
as well as the other occurrences.
Thanks.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>