1\fBhashlimit\fP uses hash buckets to express a rate limiting match (like the 2\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables 3rule. Grouping can be done per-hostgroup (source and/or destination address) 4and/or per-port. It gives you the ability to express "\fIN\fP packets per time 5quantum per group" or "\fIN\fP bytes per seconds" (see below for some examples). 6.PP 7A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and 8\fB\-\-hashlimit\-name\fP are required. 9.TP 10\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] 11Match if the rate is below or equal to \fIamount\fP/quantum. It is specified either as 12a number, with an optional time quantum suffix (the default is 3/hour), or as 13\fIamount\fPb/second (number of bytes per second). 14.TP 15\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] 16Match if the rate is above \fIamount\fP/quantum. 17.TP 18\fB\-\-hashlimit\-burst\fP \fIamount\fP 19Maximum initial number of packets to match: this number gets recharged by one 20every time the limit specified above is not reached, up to this number; the 21default is 5. When byte-based rate matching is requested, this option specifies 22the amount of bytes that can exceed the given rate. This option should be used 23with caution \(em if the entry expires, the burst value is reset too. 24.TP 25\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP... 26A comma-separated list of objects to take into consideration. If no 27\-\-hashlimit\-mode option is given, hashlimit acts like limit, but at the 28expensive of doing the hash housekeeping. 29.TP 30\fB\-\-hashlimit\-srcmask\fP \fIprefix\fP 31When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be 32grouped according to the given prefix length and the so-created subnet will be 33subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note 34that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying 35srcip for \-\-hashlimit\-mode, but is technically more expensive. 36.TP 37\fB\-\-hashlimit\-dstmask\fP \fIprefix\fP 38Like \-\-hashlimit\-srcmask, but for destination addresses. 39.TP 40\fB\-\-hashlimit\-name\fP \fIfoo\fP 41The name for the /proc/net/ipt_hashlimit/foo entry. 42.TP 43\fB\-\-hashlimit\-htable\-size\fP \fIbuckets\fP 44The number of buckets of the hash table 45.TP 46\fB\-\-hashlimit\-htable\-max\fP \fIentries\fP 47Maximum entries in the hash. 48.TP 49\fB\-\-hashlimit\-htable\-expire\fP \fImsec\fP 50After how many milliseconds do hash entries expire. 51.TP 52\fB\-\-hashlimit\-htable\-gcinterval\fP \fImsec\fP 53How many milliseconds between garbage collection intervals. 54.TP 55\fB\-\-hashlimit\-rate\-match\fP 56Classify the flow instead of rate-limiting it. This acts like a 57true/false match on whether the rate is above/below a certain number 58.TP 59\fB\-\-hashlimit\-rate\-interval\fP \fIsec\fP 60Can be used with \-\-hashlimit\-rate\-match to specify the interval 61at which the rate should be sampled 62.PP 63Examples: 64.TP 65matching on source host 66"1000 packets per second for every host in 192.168.0.0/16" => 67\-s 192.168.0.0/16 \-\-hashlimit\-mode srcip \-\-hashlimit\-upto 1000/sec 68.TP 69matching on source port 70"100 packets per second for every service of 192.168.1.1" => 71\-s 192.168.1.1 \-\-hashlimit\-mode srcport \-\-hashlimit\-upto 100/sec 72.TP 73matching on subnet 74"10000 packets per minute for every /28 subnet (groups of 8 addresses) 75in 10.0.0.0/8" => 76\-s 10.0.0.0/8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min 77.TP 78matching bytes per second 79"flows exceeding 512kbyte/s" => 80\-\-hashlimit\-mode srcip,dstip,srcport,dstport \-\-hashlimit\-above 512kb/s 81.TP 82matching bytes per second 83"hosts that exceed 512kbyte/s, but permit up to 1Megabytes without matching" 84\-\-hashlimit\-mode dstip \-\-hashlimit\-above 512kb/s \-\-hashlimit\-burst 1mb 85