Difference between revisions of "Rate limiting matchings"

From nftables wiki
Jump to navigation Jump to search
(Created page with "You can ratelimit traffic through ''limit''. The following example shows how to accept a maximum of 10 ICMP echo-request packets per second: <source lang="bash"> % nft add r...")
(No difference)

Revision as of 19:44, 13 July 2016

You can ratelimit traffic through limit.

The following example shows how to accept a maximum of 10 ICMP echo-request packets per second: 

% nft add rule filter input icmp type echo-request limit rate 10/second accept

Since Linux kernel 4.3, you can also ratelimit per bytes: 

% nft add rule filter input limit rate 10 mbytes/second accept

The rule above accepts traffic below the 10 mbytes/seconds rate.

You can also use the burst parameter to indicate the number of packets/bytes you can exceed the ratelimit: 

% nft add rule filter input limit rate 10 mbytes/second burst 9000 kbytes accept

This indicates that you can exceed the ratelimit in 9000 kbytes.

You can also use it for packets: 

% nft add rule filter input icmp type echo-request limit rate 10/second burst 2 packets counter accept

So you can exceed the rate in 2 packets.

The limit expression, you can use this for traffic policing from ingress too, as alternative to tc from the new netdev family.

Retrieved from "http://wiki.nftables.org/wiki-nftables/index.php?title=Rate_limiting_matchings&oldid=12"