Difference between revisions of "Rate limiting matchings"

From nftables wiki
Jump to navigation Jump to search
(Created page with "You can ratelimit traffic through ''limit''. The following example shows how to accept a maximum of 10 ICMP echo-request packets per second: <source lang="bash"> % nft add r...")
 
m (Re-work ingress line for clarity)
Line 31: Line 31:
So you can exceed the rate in 2 packets.
So you can exceed the rate in 2 packets.


The ''limit'' expression, you can use this for traffic policing from ''ingress'' too, as alternative to ''tc'' from the new ''netdev'' family.
You can also use the ''limit'' expression for traffic policing in a rule using the ''ingress'' hook in the new ''netdev'' family (instead of using the ''tc'' command).

Revision as of 00:35, 7 April 2018

You can ratelimit traffic through limit.

The following example shows how to accept a maximum of 10 ICMP echo-request packets per second:

% nft add rule filter input icmp type echo-request limit rate 10/second accept

Since Linux kernel 4.3, you can also ratelimit per bytes:

% nft add rule filter input limit rate 10 mbytes/second accept

The rule above accepts traffic below the 10 mbytes/seconds rate.

You can also use the burst parameter to indicate the number of packets/bytes you can exceed the ratelimit:

% nft add rule filter input limit rate 10 mbytes/second burst 9000 kbytes accept

This indicates that you can exceed the ratelimit in 9000 kbytes.

You can also use it for packets:

% nft add rule filter input icmp type echo-request limit rate 10/second burst 2 packets counter accept

So you can exceed the rate in 2 packets.

You can also use the limit expression for traffic policing in a rule using the ingress hook in the new netdev family (instead of using the tc command).