query regarding hashlimit using ipset src,dst tuple
Retesh Chadha
retesh.chadha at gmail.com
Fri Oct 13 08:50:22 CEST 2006
Hi
I have a requirement as follows -
Say there are 2 source IPs - src1 and src2, and 2 destination IP - dst1, dst2.
I need to limit src1->dst1 as well as src2-dst2 communication but want
unlimited src2->dst1 communication.
I have a ipset KNOWN, which contains src1, src2, dst1, dst2
Now i write a rule as follows -
iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s
--hashlimit-mode srcipdstip --hashlimit-name foo -m set --set KNOWN
src,dst -j ACCEPT
But this will limit the src2->dst1 communication as well, which I dont want.
Is there a way to add ip1,ip2 as a tuple in a ipset the way we can do
for ip1%port?
Is there a mode which can help me do this, using a single iptable rule as above?
Is there a way to specify multiple ipsets in 1 iptable rule?
Thanks & Regards
Retesh Chadha
More information about the netfilter-devel
mailing list