[cod] Some new cool iptables!
Ruediger Meier
sweet_f_a at gmx.de
Fri Mar 9 17:58:18 EST 2012
On Friday 09 March 2012, Boyd G. Gafford Ph.D. wrote:
> Limit per IP is done via the --hashlimit module, and the kernel can
> get hit hard if try to hash millions of random IPs and allocate the
> memory for them.
>
> If there is another way to limit by IP besides --hashlimit that
> doesn't require dynamic allocation I'm all ears!
what about
--hashlimit-htable-size buckets
The number of buckets of the hash table
--hashlimit-htable-max entries
Maximum entries in the hash.
--hashlimit-htable-expire msec
After how many milliseconds do hash entries expire
--hashlimit-htable-gcinterval msec
How many milliseconds between garbage collection
Since all your limit rules are per 1 second anyway you can keep the hash
tables very small.
cu,
Rudi
More information about the cod
mailing list