An implementation of committed access rate, or simply rate limiting, or policing for Linux iptables, implemented with high performance in mind.
Home Page: https://github.com/aabc/ipt-ratelimit
ipt-ratelimit linux kernel module by <[email protected]> -- (c) 2015-2020. An high-performance implementation of committed access rate, or simply rate limiting, or policing for Linux iptables. Suitable for a lot of users (similar to ipset) and does not have qdisc limitations. Supports IPv6. Official project homepage @ https://github.com/aabc/ipt-ratelimit ============ = ABSTRACT = ============ ipt-ratelimit module implements traffic policing (i.e. limiting traffic bit rate) using, standard for this purpose, token bucket filter (TBF) algorithm. Particular implementation is based on FreeBSD's implementation of Cisco's TBF with extended burst value (which is used to implement RED-like drop behavior). Module is compatible with recent linux distributions such as Debian 7, 8, Centos 7, and Linux kernel 3.x or above. Does support IPv6, thus useful for dual-stack policing. ================ = INSTALLATION = ================ Three easy steps: ** 1. Prepare Kernel source for module compilation What to do for Debian and Ubuntu: sudo# apt-get install module-assistant sudo# m-a prepare ** 2. Prepare Iptables What to do for Debian or Ubuntu: sudo# apt-get install iptables-dev pkg-config ** 3. Now, to actually build the module run: ~/ipt-ratelimit# make all install ~/ipt-ratelimit# depmod =========== = USAGE = =========== * Module parameter: # modinfo xt_ratelimit.ko parm: hashsize:default size of hash table used to look up IPs (uint) Parameter hashsize allows to specify size of every set's hash table (default value is 10000). Increase if you plan to use more IPs than that. Best value is twice as much IPs you are planning to use. * iptables options: # iptables -m ratelimit --help ratelimit match options: --ratelimit-set <name> Name of the ratelimit set to be used. DEFAULT will be used if none given. --ratelimit-mode <mode> Address match: src or dst. Both options are mandatory. Every set should be first created with iptables before it will have configuration file /proc/net/ipt_ratelimit/<name> * To create set named "name0", for example: # iptables -A FORWARD -m ratelimit --ratelimit-set name0 --ratelimit-mode src -j DROP This command will work like this: - match src (source) IP address of every packet in the set name0, - apply appropriate rate-limit rule to it, - and if packet is exceeding configured rate it will MATCH the rule, - thus, matched traffic is directed to the -j DROP target. Usage of set files: * To add IPs or CIDRs to the set write string in the following format: +IPv4[,IPv6,CIDR...] bitrate [normal_burst [extended_burst]] Examples: # echo +10.0.0.0/24 1000000 > /proc/net/ipt_ratelimit/name0 - ratelimit network 10.0.0.0/24 to 1Mbit. # echo +10.0.0.1 1000000 > /proc/net/ipt_ratelimit/name0 # echo +10.0.0.1 1000000 187500 > /proc/net/ipt_ratelimit/name0 # echo +10.0.0.1 1000000 187500 375000 > /proc/net/ipt_ratelimit/name0 - these three lines are equal, because normal burst (cbs) and extended burst (ebs), when not specified, are calculated automatically by optimal formula: normal_burst = bitrate * (1 byte)/(8 bits) * 1.5 seconds extended_burst = 2 * normal_burst # echo +10.0.0.1,10.0.0.2 10000000 > /proc/net/ipt_ratelimit/name0 - add multiple IPs, rate will be calculated for them together (not separately). For example if you want limit client with multiple IPs. * To delete IPs from the set: # echo -10.0.0.1 > /proc/net/ipt_ratelimit/name0 # echo -10.0.0.1,10.0.0.2 > /proc/net/ipt_ratelimit/name0 If you want to always delete before add, but don't want to see deletion error message on console or dmesg, prepend delete command with '@': # echo @-10.0.0.1 > /proc/net/ipt_ratelimit/name0 * Update rates for existing rules: # echo @+10.0.0.1 0 > /proc/net/ipt_ratelimit/name0 With this, if rule is not already exists then it will be added, if it's already exists then rate will be updated (with zero rate in example). Note, that IP list should match existing rule exactly. * To flush (clean) set named "name0" (i.e. delete all rules): # echo / > /proc/net/ipt_ratelimit/name0 * To view statistics: # cat /proc/net/ipt_ratelimit/name0 * Stat output example and format: 10.0.1.0/24 cir 1000000 cbs 187500 ebs 375000; tc 0 te 0 last never; conf 0/0 0 bps, rej 0/0 10.0.1.0/24 IPv4 network to match, cir 1000000 allowed rate (cir is committed information rate) in bits, cbs 187500 normal burst (cbs is committed burst size) in bytes, ebs 375000 extended burst (cbs is extended burst size) in bytes, tc 0 committed token bucket counter, te 0 extended token bucket counter (implementing extended burst), last never how much seconds ago last packet is seen, conf 0/0 0 bps conforming traffic counters (pkts/bytes bitrate), Note, that bps here is average bit rate estimation calculated for last several seconds. rej 0/0 rejected (or matched) traffic counters. ===========
Reported privately. Unfortunately, there is no actual kernel panic message, only this slowpath warning. Which is inconclusive and hard to analyse.
Упал в момент очередного обновления скорости абонента.
pcki 7306996 | pcko 7132145 | si 5037 Mbps | so 4956 Mbps
ipt_NETFLOW 2.1-30-gd99cec8, srcversion C8F0CBE193F0DEA0DBF574B;
Oct 9 17:00:28 nas4 kernel: [14460386.084466] xt_ratelimit: Del op doesn't reference any existing address (cmd: -10.171.20.92)
Oct 9 17:00:28 nas4 kernel: [14460386.084920] xt_ratelimit: Del op doesn't reference any existing address (cmd: -10.171.20.92)
Oct 9 17:03:29 nas4 kernel: [14460566.483091] xt_ratelimit: Del op doesn't reference any existing address (cmd: -10.121.30.53)
Oct 9 17:03:29 nas4 kernel: [14460566.483535] xt_ratelimit: Del op doesn't reference any existing address (cmd: -10.121.30.53)
Oct 9 17:03:29 nas4 kernel: [14460566.483670] ------------[ cut here ]------------
Oct 9 17:03:29 nas4 kernel: [14460566.483674] WARNING: CPU: 3 PID: 7855 at /build/buildd/linux-3.13.0/kernel/softirq.c:156 local_bh_enable_ip+0x6a/0x90()
Oct 9 17:03:29 nas4 kernel: [14460566.483693] Modules linked in: ipt_NETFLOW(OX) netconsole configfs xt_ratelimit(OX) nf_nat_pptp nf_nat_proto_gre nf_conntrack_pptp nf_conntrack_proto_gre nf_conntrack_netlink act_mirred cls_u32 cls_fw sch_htb sch_prio xt_I
PMARK(OX) compat_xtables(OX) iptable_mangle xt_nat xt_tcpudp xt_set iptable_nat nf_nat_ipv4 ip_set_hash_ip ip_set nfnetlink nf_nat_ftp nf_conntrack_ftp nf_nat xt_limit xt_multiport nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack iptable_filter ip
_tables x_tables x86_pkg_temp_thermal intel_powerclamp coretemp kvm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ppdev aesni_intel snd_hda_codec_hdmi aes_x86_64 lrw gf128mul snd_hda_intel glue_helper snd_hda_codec i915 ablk_helper cryptd snd_hwdep drm_
kms_helper snd_pcm snd_page_alloc drm snd_timer snd i2c_algo_bit mei_me soundcore mei lpc_ich video parport_pc serio_raw mac_hid lp parport ixgbe psmouse dca ahci ptp libahci pps_core mdio [last unloaded: ipt_NETFLOW]
Oct 9 17:03:29 nas4 kernel: [14460566.483699] CPU: 3 PID: 7855 Comm: update Tainted: G OX 3.13.0-40-generic #69-Ubuntu
Oct 9 17:03:29 nas4 kernel: [14460566.483700] Hardware name: Gigabyte Technology Co., Ltd. Z87-HD3/Z87-HD3, BIOS F7 01/20/2014
Oct 9 17:03:29 nas4 kernel: [14460566.483701] 0000000000000009 ffff880175f036b0 ffffffff8171f226 0000000000000000
Oct 9 17:03:29 nas4 kernel: [14460566.483702] ffff880175f036e8 ffffffff810677cd ffff88022fbc6108 ffff880229a3dda0
Oct 9 17:03:29 nas4 kernel: [14460566.483703] 00000000fffffdda 0000000000000000 ffff88022fbc6040 ffff880175f036f8
Oct 9 17:03:29 nas4 kernel: [14460566.483704] Call Trace:
Oct 9 17:03:29 nas4 kernel: [14460566.483706] [<ffffffff8171f226>] dump_stack+0x45/0x56
Oct 9 17:03:29 nas4 kernel: [14460566.483708] [<ffffffff810677cd>] warn_slowpath_common+0x7d/0xa0
Oct 9 17:03:29 nas4 kernel: [14460566.483708] [<ffffffff810678aa>] warn_slowpath_null+0x1a/0x20
Oct 9 17:03:29 nas4 kernel: [14460566.483710] [<ffffffff8106cf9a>] local_bh_enable_ip+0x6a/0x90
Oct 9 17:03:29 nas4 kernel: [14460566.483711] [<ffffffff817271cb>] _raw_spin_unlock_bh+0x1b/0x40
Oct 9 17:03:29 nas4 kernel: [14460566.483716] [<ffffffffa006b0fd>] ixgbe_poll+0x41d/0x800 [ixgbe]
Oct 9 17:03:29 nas4 kernel: [14460566.483720] [<ffffffff816140be>] ? __alloc_skb+0x4e/0x2b0
Oct 9 17:03:29 nas4 kernel: [14460566.483722] [<ffffffff8163d286>] netpoll_poll_dev+0x1b6/0x9b0
Oct 9 17:03:29 nas4 kernel: [14460566.483723] [<ffffffff8163dd81>] netpoll_send_skb_on_dev+0x301/0x430
Oct 9 17:03:29 nas4 kernel: [14460566.483725] [<ffffffff8163e1da>] netpoll_send_udp+0x27a/0x390
Oct 9 17:03:29 nas4 kernel: [14460566.483727] [<ffffffffa045a89f>] write_msg+0xcf/0x120 [netconsole]
Oct 9 17:03:29 nas4 kernel: [14460566.483730] [<ffffffff810bc303>] call_console_drivers.constprop.19+0x93/0xf0
Oct 9 17:03:29 nas4 kernel: [14460566.483731] [<ffffffff810bd46f>] console_unlock+0x3bf/0x400
Oct 9 17:03:29 nas4 kernel: [14460566.483732] [<ffffffff810bd76e>] vprintk_emit+0x2be/0x530
Oct 9 17:03:29 nas4 kernel: [14460566.483734] [<ffffffff81718e88>] printk+0x67/0x69
Oct 9 17:03:29 nas4 kernel: [14460566.483735] [<ffffffffa0460183>] ratelimit_proc_write+0x833/0x8a0 [xt_ratelimit]
Oct 9 17:03:29 nas4 kernel: [14460566.483737] [<ffffffff8136c5d3>] ? number.isra.1+0x323/0x360
Oct 9 17:03:29 nas4 kernel: [14460566.483739] [<ffffffff8116d499>] ? zone_statistics+0x89/0xa0
Oct 9 17:03:29 nas4 kernel: [14460566.483741] [<ffffffff811581bb>] ? get_page_from_freelist+0x54b/0x930
Oct 9 17:03:29 nas4 kernel: [14460566.483742] [<ffffffff811a2995>] ? kmem_cache_alloc+0x35/0x1e0
Oct 9 17:03:29 nas4 kernel: [14460566.483744] [<ffffffff8122403d>] ? proc_alloc_inode+0x1d/0xb0
Oct 9 17:03:29 nas4 kernel: [14460566.483746] [<ffffffff812d59ae>] ? security_inode_alloc+0x1e/0x20
Oct 9 17:03:29 nas4 kernel: [14460566.483748] [<ffffffff811d746c>] ? inode_init_always+0x11c/0x1e0
Oct 9 17:03:29 nas4 kernel: [14460566.483751] [<ffffffff811ff5c1>] ? fsnotify+0x241/0x320
Oct 9 17:03:29 nas4 kernel: [14460566.483752] [<ffffffff811da234>] ? notify_change+0x2e4/0x390
Oct 9 17:03:29 nas4 kernel: [14460566.483754] [<ffffffff811baaa0>] ? do_truncate+0x80/0xa0
Oct 9 17:03:29 nas4 kernel: [14460566.483755] [<ffffffff811d44d4>] ? dput+0x24/0x180
Oct 9 17:03:29 nas4 kernel: [14460566.483757] [<ffffffff811dd684>] ? mntput+0x24/0x40
Oct 9 17:03:29 nas4 kernel: [14460566.483758] [<ffffffff811c8249>] ? terminate_walk+0x49/0x50
Oct 9 17:03:29 nas4 kernel: [14460566.483759] [<ffffffff811cc0ee>] ? do_last+0x18e/0x1230
Oct 9 17:03:29 nas4 kernel: [14460566.483760] [<ffffffff811ca746>] ? link_path_walk+0x256/0x870
Oct 9 17:03:29 nas4 kernel: [14460566.483763] [<ffffffff813137ab>] ? apparmor_file_alloc_security+0x5b/0x180
Oct 9 17:03:29 nas4 kernel: [14460566.483764] [<ffffffff811d44d4>] ? dput+0x24/0x180
Oct 9 17:03:29 nas4 kernel: [14460566.483765] [<ffffffff811dd684>] ? mntput+0x24/0x40
Oct 9 17:03:29 nas4 kernel: [14460566.483766] [<ffffffff811cd2e8>] ? path_openat+0x158/0x650
Oct 9 17:03:29 nas4 kernel: [14460566.483767] [<ffffffff810c8e8d>] ? call_rcu_sched+0x1d/0x20
Oct 9 17:03:29 nas4 kernel: [14460566.483769] [<ffffffff811ce64a>] ? do_filp_open+0x3a/0x90
Oct 9 17:03:29 nas4 kernel: [14460566.483770] [<ffffffff8131353a>] ? common_file_perm+0x4a/0x100
Oct 9 17:03:29 nas4 kernel: [14460566.483772] [<ffffffff811bff89>] ? __sb_start_write+0x49/0xe0
Oct 9 17:03:29 nas4 kernel: [14460566.483773] [<ffffffff81223dbd>] proc_reg_write+0x3d/0x80
Oct 9 17:03:29 nas4 kernel: [14460566.483774] [<ffffffff811bd9a4>] vfs_write+0xb4/0x1f0
Oct 9 17:03:29 nas4 kernel: [14460566.483775] [<ffffffff811be3d9>] SyS_write+0x49/0xa0
Oct 9 17:03:29 nas4 kernel: [14460566.483777] [<ffffffff8172fd2d>] system_call_fastpath+0x1a/0x1f
Oct 9 17:03:29 nas4 kernel: [14460566.483777] ---[ end trace 613c9d524c487718 ]---
Samples: 301M of event 'cycles', Event count (approx.): 75282784931
8,46% [kernel] [k] ____nf_conntrack_find
7,92% [kernel] [k] _raw_spin_lock
7,09% [kernel] [k] ipt_do_table
4,17% [kernel] [k] fib_table_lookup
3,97% [kernel] [k] ixgbe_clean_rx_irq
3,32% [kernel] [k] netflow_target
2,68% [kernel] [k] nf_iterate
2,63% [kernel] [k] eth_type_trans
2,61% [kernel] [k] ratelimit_mt
2,49% [kernel] [k] ixgbe_xmit_frame_ring
2,21% [kernel] [k] ip_set_test
1,47% [kernel] [k] __netif_receive_skb_core
1,33% [kernel] [k] ixgbe_poll
1,28% [kernel] [k] check_leaf.isra.8
1,28% [kernel] [k] ip_route_input_noref
1,15% [kernel] [k] local_bh_enable
1,14% [kernel] [k] hash_ip4_test
1,10% [kernel] [k] _raw_read_lock_bh
1,05% [kernel] [k] ip_rcv
1,03% [kernel] [k] memcmp
1 [|||||||||||||| 23.0%] Tasks: 51; 6 running
2 [||||||||||||||| 23.9%] Load average: 0.01 0.04 0.05
3 [|||||||||||||||||| 28.6%] Uptime: 167 days(!), 05:36:29
4 [||||||||||||||||||||||||||||||||||||||||||| 71.2%]
Mem[||||||||||||||| 697/7906MB]
Swp[| 3/8115MB]
Hi all
i have problem with set speed over 50mb/s
iptables -A FORWARD -m ratelimit --ratelimit-set up --ratelimit-mode src -j DROP
iptables -A FORWARD -m ratelimit --ratelimit-set down --ratelimit-mode dst -j DROP
echo / > /proc/net/ipt_ratelimit/up
echo / > /proc/net/ipt_ratelimit/down
echo +192.168.0.2 100000000 > /proc/net/ipt_ratelimit/up
echo +192.168.0.2 100000000 > /proc/net/ipt_ratelimit/down
192.168.0.2 cir 104857600 cbs 19660800 ebs 39321600; tc 0 te 0 last never; conf 0/0 0 bps, rej 0/0
problem is come when i try to set 70,80,90,100 mbit speed is limit to 8-10 mbit
after back shaper to 50 mbit is work fine shape customer to 50-52mb/s
how to debug this problem and to fix.
Hi try to make working modul with nft
if is only make nat in nft shaper work in both directions (up/down).
with this rulls:
table nat {
chain postrouting {
type nat hook postrouting priority 100;
oif <o_if> snat to <pool_addr_start>-<pool_addr_end> persistent
}
}
But if i try move to flow :
table inet filter {
flowtable fastnat {
hook ingress priority 0
devices = { <i_if>, <o_if> }
}
chain forward {
type filter hook forward priority 0; policy accept;
ip protocol { tcp , udp } flow offload @fastnat;
}
}
in this case work only upload limit, download limit not work.
Some idea how to make it work?
would be very useful.
Hello,
I have successfully installed the ratelimit package. As you can see the following is after running the help command:
ratelimit match options:
--ratelimit-set Name of the ratelimit set to be used.
DEFAULT will be used if none given.
--ratelimit-mode Address match: src or dst.
xt_ratelimit by: ABC
However, I am getting the following error after running "iptables --ratelimit-set name0 --ratelimit-mode src -j DROP". What can cause such error?
"iptables v1.4.21: unknown option "--ratelimit-set"
Hi.
Trying to install on Debian 12 beta
# make all install
make -C /lib/modules/6.1.0-8-amd64/build/ M=/root/ipt-ratelimit-0.3.2 modules CONFIG_DEBUG_INFO=y
make[1]: Entering directory '/usr/src/linux-headers-6.1.0-8-amd64'
CC [M] /root/ipt-ratelimit-0.3.2/xt_ratelimit.o
/root/ipt-ratelimit-0.3.2/xt_ratelimit.c: In function ‘ratelimit_proc_open’:
/root/ipt-ratelimit-0.3.2/xt_ratelimit.c:318:31: error: implicit declaration of function ‘PDE_DATA’; did you mean ‘NODE_DATA’? [-Werror=implicit-function-declaration]
318 | sf->private = PDE_DATA(inode);
| ^~~~~~~~
| NODE_DATA
/root/ipt-ratelimit-0.3.2/xt_ratelimit.c:318:29: warning: assignment to ‘void *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
318 | sf->private = PDE_DATA(inode);
| ^
/root/ipt-ratelimit-0.3.2/xt_ratelimit.c: In function ‘ratelimit_proc_write’:
/root/ipt-ratelimit-0.3.2/xt_ratelimit.c:623:42: warning: initialization of ‘struct xt_ratelimit_htable *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
623 | struct xt_ratelimit_htable *ht = PDE_DATA(file_inode(file));
| ^~~~~~~~
/root/ipt-ratelimit-0.3.2/xt_ratelimit.c: In function ‘parse_rule’:
/root/ipt-ratelimit-0.3.2/xt_ratelimit.c:530:37: warning: this statement may fall through [-Wimplicit-fallthrough=]
530 | val = val / 8 + (val / 8 / 2);
| ~~~~^~~~~~~~~~~~~~~~~~~~~~~~~
/root/ipt-ratelimit-0.3.2/xt_ratelimit.c:532:25: note: here
532 | case 1:
| ^~~~
/root/ipt-ratelimit-0.3.2/xt_ratelimit.c:534:37: warning: this statement may fall through [-Wimplicit-fallthrough=]
534 | val *= 2;
| ~~~~^~~~
/root/ipt-ratelimit-0.3.2/xt_ratelimit.c:536:25: note: here
536 | case 2:
| ^~~~
cc1: some warnings being treated as errors
make[2]: *** [/usr/src/linux-headers-6.1.0-8-common/scripts/Makefile.build:255: /root/ipt-ratelimit-0.3.2/xt_ratelimit.o] Error 1
make[1]: *** [/usr/src/linux-headers-6.1.0-8-common/Makefile:2037: /root/ipt-ratelimit-0.3.2] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-6.1.0-8-amd64'
make: *** [Makefile:12: xt_ratelimit.ko] Error 2
# uname -a
Linux 6.1.0-8-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.25-1 (2023-04-22) x86_64 GNU/Linux
Should i try version 0.3.3?
Example:
echo +"aa:bb:cc:dd:ee:ff" 1000000 > /proc/net/ipt_ratelimit/name0.
Помогите разобраться.
Я правильно понял, что с помощью этого модуля я могу у себя внутри сети ограничивать скорость?
Тобишь например у меня есть сетка 192.168.0.0/24
и например диапозон ip 192.168.0.192/27 я хочу ограничить в скорости скажем в 1мбит
Не совсем понимаю как написать правильно правило в iptables
Подскажите пожалуйста, буду очень признателен.
make -C /usr/lib/modules/5.6.2-arch1-2/build M=/home/k0ste/sandbox/AUR/ipt_ratelimit/src/ipt-ratelimit-0.2 modules CONFIG_DEBUG_INFO=y
make[1]: Entering directory '/usr/lib/modules/5.6.2-arch1-2/build'
CC [M] /home/k0ste/sandbox/AUR/ipt_ratelimit/src/ipt-ratelimit-0.2/xt_ratelimit.o
/home/k0ste/sandbox/AUR/ipt_ratelimit/src/ipt-ratelimit-0.2/xt_ratelimit.c: In function ‘htable_create’:
/home/k0ste/sandbox/AUR/ipt_ratelimit/src/ipt-ratelimit-0.2/xt_ratelimit.c:704:7: error: passing argument 4 of ‘proc_create_data’ from incompatible pointer type [-Werror=incompatible-pointer-types]
704 | &ratelimit_fops, ht);
| ^~~~~~~~~~~~~~~
| |
| const struct file_operations *
In file included from /home/k0ste/sandbox/AUR/ipt_ratelimit/src/ipt-ratelimit-0.2/xt_ratelimit.c:29:
./include/linux/proc_fs.h:59:31: note: expected ‘const struct proc_ops *’ but argument is of type ‘const struct file_operations *’
59 | extern struct proc_dir_entry *proc_create_data(const char *, umode_t,
| ^~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[2]: *** [scripts/Makefile.build:268: /home/k0ste/sandbox/AUR/ipt_ratelimit/src/ipt-ratelimit-0.2/xt_ratelimit.o] Error 1
make[1]: *** [Makefile:1683: /home/k0ste/sandbox/AUR/ipt_ratelimit/src/ipt-ratelimit-0.2] Error 2
make[1]: Leaving directory '/usr/lib/modules/5.6.2-arch1-2/build'
make: *** [Makefile:12: xt_ratelimit.ko] Error 2I test it in my router ,linux kernel is 3.10.14.it works fine if i use lan side ip address as src ip or dest ip.but it not work if i use wan side ip addess.the Network topology diagram just like this:
PC(192.168.168.1.2)---------lan-|Router|-wan----------Internet server(172.16.1.2)
lan side wan side
i need to make wan side rate controll working,how can i do?thanks!
Hello, i have a strange problem - i cannot set speed over 4294967295 bits. Going to 4294967296 resets the rule to cir 0. What may be the solution?
After installation try create set, but get error
root@ubuntu:/# echo +10.0.0.0/24 1000000 > /proc/net/ipt_ratelimit/allusers
-bash: /proc/net/ipt_ratelimit/allusers: No such file or directory
А действительно необходимо ждать истечения idle (inactive) timeout'а для потоков где замечен fin или rst флаг? Ничего не нашел на этот повод в RFC.
static inline int inactive_needs_export(const struct ipt_netflow nf, const long i_timeout,
const unsigned long j)
{
if (likely(i_timeout)) {
if (unlikely((j - nf->nf_ts_last) > i_timeout)) {
if (nf->tuple.protocol == IPPROTO_TCP &&
FLAG_UP(nf->tcp_flags, TCP_FIN_RST))
return 0x03; / end of Flow detected */
Доброго дня! Ввиду появления бесплатного интернета (социально значимых ресурсов) для абонентов с отрицательным балансом хочется через ipt-ratelimit ограничить скорость таким ресурсам до минимума, но меня интересует вопрос - как я могу использовать ipt-ratelimit совместно с ipset.
Объясню, есть таблица в ipset неавторизованных абонентов, которым нужно открыть доступ к таким ресурсам, но я так понимаю ipt-ratelimit не умеет работать с ipset?
Можно в таблицу FORWARD добавлять сети с социальными ресурсами (в ACCEPT конечно), а ratelimit применять к и от абонентского адреса
Если ставлю значение более 4290000000 начинаются сплошные дропы, подскажите, что по коду поправить, что бы убрать максимальноре ограничение и можно было использовать шейпер, например 6 Гигабит.
Please make new github release, the current is 2 years old 🙂
The second IP with mistype
echo -192.168.0.200 2000000 > /proc/net/ipt_ratelimit/http ; echo +192.168.0.200,192,168.0.203 2000000 > /proc/net/ipt_ratelimit/http
cat /proc/net/ipt_ratelimit/http
192.168.0.200 cir 0 cbs 2000000 ebs 4000000; tc 12043 te 0 last 512; conf 138/12043 2833 bps, rej 0/0 0 bps
No any erros in dmesg.
xt_ratelimit: 0.1-13-gc235a26 load success.
Linux hostname 4.2.2-1-ARCH #1 SMP PREEMPT Tue Sep 29 22:21:33 CEST 2015 x86_64 GNU/Linux
The openSUSE Build Service is the public instance of the Open Build Service (OBS) used for development of the openSUSE distribution and to offer packages from same source for Fedora, Debian, Ubuntu, SUSE Linux Enterprise and other distributions..
I'am need ratelimit in all network, but except some IP.
For test I run
root@ubuntu:~# iptables -A FORWARD -m ratelimit --ratelimit-set fullspeedsrc --ratelimit-mode src -j DROP
root@ubuntu:~# iptables -A FORWARD -m ratelimit --ratelimit-set fullspeeddst --ratelimit-mode dst -j DROP
root@ubuntu:~# iptables -A FORWARD -m ratelimit --ratelimit-set limitdst --ratelimit-mode dst -j DROP
root@ubuntu:~# iptables -A FORWARD -m ratelimit --ratelimit-set limitsrc --ratelimit-mode src -j DROP
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeedsrc
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeeddst
root@ubuntu:~# echo +10.8.0.101 1000000 > /proc/net/ipt_ratelimit/limitdst
root@ubuntu:~# echo +10.8.0.101 1000000 > /proc/net/ipt_ratelimit/limitsrc
All work fine IP .100 have 100mbit limit and IP .101 have 1mbit limit.
After that remove .101 rules and add rules for .100/24 ip range
root@ubuntu:~# echo -10.8.0.101 1000000 > /proc/net/ipt_ratelimit/limitsrc
root@ubuntu:~# echo -10.8.0.101 1000000 > /proc/net/ipt_ratelimit/limitdst
root@ubuntu:~# echo +10.8.0.100/24 1000000 > /proc/net/ipt_ratelimit/limitsrc
root@ubuntu:~# echo +10.8.0.100/24 1000000 > /proc/net/ipt_ratelimit/limitdst
But IP .100 also have limit 1mbit, first rules for .101 IP don't work.
How I can implement this logic?
Compilation warning on Ubuntu.
CC [M] /usr/src/ipt-ratelimit-master/xt_ratelimit.o
/usr/src/ipt-ratelimit-master/xt_ratelimit.c: In function ‘ratelimit_proc_write’:
/usr/src/ipt-ratelimit-master/xt_ratelimit.c:478:1: warning: the frame size of 1136 bytes is larger than 1024 bytes [-Wframe-larger-than=]
}
^
Building modules, stage 2.
Distr: Debian Bookworm
Kernel: 6.1.0
Compilation Error:
make -C /lib/modules/6.1.0-7-amd64/build/ M=/usr/local/src/ipt-ratelimit modules
make[1]: Entering directory '/usr/src/linux-headers-6.1.0-7-amd64'
CC [M] /usr/local/src/ipt-ratelimit/xt_ratelimit.o
/usr/local/src/ipt-ratelimit/xt_ratelimit.c: In function ‘parse_rule’:
/usr/local/src/ipt-ratelimit/xt_ratelimit.c:530:37: warning: this statement may fall through [-Wimplicit-fallthrough=]
530 | val = val / 8 + (val / 8 / 2);
| ~~~~^~~~~~~~~~~~~~~~~~~~~~~~~
/usr/local/src/ipt-ratelimit/xt_ratelimit.c:532:25: note: here
532 | case 1:
| ^~~~
/usr/local/src/ipt-ratelimit/xt_ratelimit.c:534:37: warning: this statement may fall through [-Wimplicit-fallthrough=]
534 | val *= 2;
| ~~~~^~~~
/usr/local/src/ipt-ratelimit/xt_ratelimit.c:536:25: note: here
536 | case 2:
| ^~~~
MODPOST /usr/local/src/ipt-ratelimit/Module.symvers
CC [M] /usr/local/src/ipt-ratelimit/xt_ratelimit.mod.o
LD [M] /usr/local/src/ipt-ratelimit/xt_ratelimit.ko
BTF [M] /usr/local/src/ipt-ratelimit/xt_ratelimit.ko
Skipping BTF generation for /usr/local/src/ipt-ratelimit/xt_ratelimit.ko due to unavailability of vmlinux
make[1]: Leaving directory '/usr/src/linux-headers-6.1.0-7-amd64'
sync
gcc -O2 -Wall -Wunused -fPIC -o libxt_ratelimit_sh.o -c libxt_ratelimit.c
gcc -shared -o libxt_ratelimit.so libxt_ratelimit_sh.o
/usr/bin/ld: libxt_ratelimit_sh.o: in function `_init':
libxt_ratelimit.c:(.text+0x210): multiple definition of `_init'; /usr/lib/gcc/x86_64-linux-gnu/12/../../../x86_64-linux-gnu/crti.o:(.init+0x0): first defined here
collect2: error: ld returned 1 exit status
make: *** [Makefile:19: libxt_ratelimit.so] Error 1
rm libxt_ratelimit_sh.o
Possibility of policing ipv4 address(es) and ipv6 subnet with one bucket will be very useful for ISP.
Create the following acceleration rules:
table ip filter {
flowtable f {
hook ingress priority filter
devices = { eth0.2, nas3_0 }
}
chain forward {
type filter hook forward priority filter; policy accept;
ip protocol { tcp, udp } flow add @f
counter packets 0 bytes 0
}
}
Check out cat /proc/net/nf_conntrack:
ipv4 2 tcp 6 src=192.168.1.20 dst=10.10.10.13 sport=63522 dport=5201 src=10.10.10.13 dst=10.10.10.10 sport=5201 dport=63522 [OFFLOAD] mark=0 use=3
But iperf3 stream test (tcp) results: compared to when no acceleration rule was established, no change in upstream, and downstream increased a little bit (about 2 Mbit/s)
What are the reasons for this situation? How should it be solved?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.