hashlimit not working in iptable chains
retesh.chadha at gmail.com
Fri Dec 1 12:36:44 CET 2006
I am having a scenario where the iptables hashlimit feature is not
working as expected. Following is the list of IP rules
INPUT (policy ACCEPT 1342 packets, 488K bytes)
1840 755K TEST all -- any any anywhere anywhere
TEST (1 references)
0 0 CHAIN2 all -- any any anywhere
anywhere set SET2 dst
1840 755K CHAIN1 all -- any any anywhere
anywhere set SET1 dst
CHAIN1 (1 references)
919 375K ACCEPT all -- any any anywhere
anywhere limit: avg 200/sec burst 10 mode dstip
921 380K LOG all -- any any anywhere
anywhere LOG level warning prefix `_SET1'
CHAIN2 (1 references)
0 0 ACCEPT all -- any any anywhere
anywhere limit: avg 50/sec burst 10 mode dstip
0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `_SET2'
Here, SET1 and SET2 are iphash
Now after applying the above rules, irrespective of which set (SET1 or
SET2), I send the packets from I find that the limit that is used is
50/s, even though there are different chains for different sets. That
is packets from SET1 match CHAIN1 but the hashlimit value thats used
So effectively the hashlimit that is set for all the chains is the one
in the chain that occurs first.
Am I doing something wrong here, or is this a limitation with hashlimit?
Thanks in advance
More information about the netfilter