Difference between revisions of "Rate limiting matchings"
(Add an example of the ''over'' keyword) |
|||
| Line 1: | Line 1: | ||
You can ratelimit traffic through ''limit''. | You can ratelimit traffic through ''limit''. | ||
= Per packet = | |||
The following example shows how to accept a maximum of 10 ICMP echo-request packets per second: | The following example shows how to accept a maximum of 10 ICMP echo-request packets per second: | ||
| Line 6: | Line 8: | ||
% nft add rule filter input icmp type echo-request limit rate 10/second accept | % nft add rule filter input icmp type echo-request limit rate 10/second accept | ||
</source> | </source> | ||
This rule matches for packets below the 10/second rate. Those packets will be accepted, therefore you will need a rule to drop packets over the ratelimit - which will not match the rule above. | |||
You can also express things the other way around, ie. | |||
<source lang="bash"> | |||
% nft add rule filter input icmp type echo-request limit rate over 10/second drop | |||
</source> | |||
The 'over' specifies that will matching packets '''over''' the rate limit, those packets will be dropped. | |||
= Per byte = | |||
Since Linux kernel 4.3, you can also ratelimit per bytes: | Since Linux kernel 4.3, you can also ratelimit per bytes: | ||
| Line 14: | Line 28: | ||
The rule above accepts traffic below the 10 mbytes/seconds rate. | The rule above accepts traffic below the 10 mbytes/seconds rate. | ||
You can also use the ''over'' option to match packets going '''over''' the rate limit, eg. | |||
<source lang="bash"> | |||
% nft add rule filter input limit rate over 10 mbytes/second drop | |||
</source> | |||
The rule above drops packets over the 10 MBytes per second rate. | |||
= Burst = | |||
You can also use the ''burst'' parameter to indicate the number of packets/bytes you can exceed the ratelimit: | You can also use the ''burst'' parameter to indicate the number of packets/bytes you can exceed the ratelimit: | ||
Revision as of 10:29, 27 April 2018
You can ratelimit traffic through limit.
Per packet
The following example shows how to accept a maximum of 10 ICMP echo-request packets per second:
% nft add rule filter input icmp type echo-request limit rate 10/second accept
This rule matches for packets below the 10/second rate. Those packets will be accepted, therefore you will need a rule to drop packets over the ratelimit - which will not match the rule above.
You can also express things the other way around, ie.
% nft add rule filter input icmp type echo-request limit rate over 10/second drop
The 'over' specifies that will matching packets over the rate limit, those packets will be dropped.
Per byte
Since Linux kernel 4.3, you can also ratelimit per bytes:
% nft add rule filter input limit rate 10 mbytes/second accept
The rule above accepts traffic below the 10 mbytes/seconds rate.
You can also use the over option to match packets going over the rate limit, eg.
% nft add rule filter input limit rate over 10 mbytes/second drop
The rule above drops packets over the 10 MBytes per second rate.
Burst
You can also use the burst parameter to indicate the number of packets/bytes you can exceed the ratelimit:
% nft add rule filter input limit rate 10 mbytes/second burst 9000 kbytes accept
This indicates that you can exceed the ratelimit in 9000 kbytes.
You can also use it for packets:
% nft add rule filter input icmp type echo-request limit rate 10/second burst 2 packets counter accept
So you can exceed the rate in 2 packets.
You can also use the limit expression for traffic policing in a rule using the ingress hook in the new netdev family (instead of using the tc command).
The over keyword allows you to use limit intuitively in a chain with policy accept:
% nft add rule netdev filter ingress pkttype broadcast limit rate over 10/second drop