Difference between revisions of "Rate limiting matchings"
Jump to navigation
Jump to search
m (Re-work ingress line for clarity) |
(Add an example of the ''over'' keyword) |
||
| Line 32: | Line 32: | ||
You can also use the ''limit'' expression for traffic policing in a rule using the ''ingress'' hook in the new ''netdev'' family (instead of using the ''tc'' command). | You can also use the ''limit'' expression for traffic policing in a rule using the ''ingress'' hook in the new ''netdev'' family (instead of using the ''tc'' command). | ||
The ''over'' keyword allows you to use ''limit'' intuitively in a chain with ''policy accept'': | |||
<source lang="bash"> | |||
% nft add rule netdev filter ingress pkttype broadcast limit rate over 10/second drop | |||
</source> | |||
Revision as of 02:05, 7 April 2018
You can ratelimit traffic through limit.
The following example shows how to accept a maximum of 10 ICMP echo-request packets per second:
% nft add rule filter input icmp type echo-request limit rate 10/second accept
Since Linux kernel 4.3, you can also ratelimit per bytes:
% nft add rule filter input limit rate 10 mbytes/second accept
The rule above accepts traffic below the 10 mbytes/seconds rate.
You can also use the burst parameter to indicate the number of packets/bytes you can exceed the ratelimit:
% nft add rule filter input limit rate 10 mbytes/second burst 9000 kbytes accept
This indicates that you can exceed the ratelimit in 9000 kbytes.
You can also use it for packets:
% nft add rule filter input icmp type echo-request limit rate 10/second burst 2 packets counter accept
So you can exceed the rate in 2 packets.
You can also use the limit expression for traffic policing in a rule using the ingress hook in the new netdev family (instead of using the tc command).
The over keyword allows you to use limit intuitively in a chain with policy accept:
% nft add rule netdev filter ingress pkttype broadcast limit rate over 10/second drop