-
Notifications
You must be signed in to change notification settings - Fork 32
/
README
158 lines (102 loc) · 5.23 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
ipt-ratelimit linux kernel module by <[email protected]> -- (c) 2015-2020.
An high-performance implementation of committed access rate, or simply rate
limiting, or policing for Linux iptables. Suitable for a lot of users
(similar to ipset) and does not have qdisc limitations. Supports IPv6.
Official project homepage @ https://github.com/aabc/ipt-ratelimit
============
= ABSTRACT =
============
ipt-ratelimit module implements traffic policing (i.e. limiting traffic bit
rate) using, standard for this purpose, token bucket filter (TBF) algorithm.
Particular implementation is based on FreeBSD's implementation of Cisco's TBF
with extended burst value (which is used to implement RED-like drop behavior).
Module is compatible with recent linux distributions such as Debian 7, 8,
Centos 7, and Linux kernel 3.x or above.
Does support IPv6, thus useful for dual-stack policing.
================
= INSTALLATION =
================
Three easy steps:
** 1. Prepare Kernel source for module compilation
What to do for Debian and Ubuntu:
sudo# apt-get install module-assistant
sudo# m-a prepare
** 2. Prepare Iptables
What to do for Debian or Ubuntu:
sudo# apt-get install iptables-dev pkg-config
** 3. Now, to actually build the module run:
~/ipt-ratelimit# make all install
~/ipt-ratelimit# depmod
===========
= USAGE =
===========
* Module parameter:
# modinfo xt_ratelimit.ko
parm: hashsize:default size of hash table used to look
up IPs (uint)
Parameter hashsize allows to specify size of every set's hash table (default
value is 10000). Increase if you plan to use more IPs than that. Best value
is twice as much IPs you are planning to use.
* iptables options:
# iptables -m ratelimit --help
ratelimit match options:
--ratelimit-set <name> Name of the ratelimit set to be used.
DEFAULT will be used if none given.
--ratelimit-mode <mode> Address match: src or dst.
Both options are mandatory. Every set should be first created with iptables
before it will have configuration file /proc/net/ipt_ratelimit/<name>
* To create set named "name0", for example:
# iptables -A FORWARD -m ratelimit --ratelimit-set name0 --ratelimit-mode src -j DROP
This command will work like this:
- match src (source) IP address of every packet in the set name0,
- apply appropriate rate-limit rule to it,
- and if packet is exceeding configured rate it will MATCH the rule,
- thus, matched traffic is directed to the -j DROP target.
Usage of set files:
* To add IPs or CIDRs to the set write string in the following format:
+IPv4[,IPv6,CIDR...] bitrate [normal_burst [extended_burst]]
Examples:
# echo +10.0.0.0/24 1000000 > /proc/net/ipt_ratelimit/name0
- ratelimit network 10.0.0.0/24 to 1Mbit.
# echo +10.0.0.1 1000000 > /proc/net/ipt_ratelimit/name0
# echo +10.0.0.1 1000000 187500 > /proc/net/ipt_ratelimit/name0
# echo +10.0.0.1 1000000 187500 375000 > /proc/net/ipt_ratelimit/name0
- these three lines are equal, because normal burst (cbs) and extended
burst (ebs), when not specified, are calculated automatically by
optimal formula:
normal_burst = bitrate * (1 byte)/(8 bits) * 1.5 seconds
extended_burst = 2 * normal_burst
# echo +10.0.0.1,10.0.0.2 10000000 > /proc/net/ipt_ratelimit/name0
- add multiple IPs, rate will be calculated for them together (not
separately). For example if you want limit client with multiple IPs.
* To delete IPs from the set:
# echo -10.0.0.1 > /proc/net/ipt_ratelimit/name0
# echo -10.0.0.1,10.0.0.2 > /proc/net/ipt_ratelimit/name0
If you want to always delete before add, but don't want to see deletion
error message on console or dmesg, prepend delete command with '@':
# echo @-10.0.0.1 > /proc/net/ipt_ratelimit/name0
* Update rates for existing rules:
# echo @+10.0.0.1 0 > /proc/net/ipt_ratelimit/name0
With this, if rule is not already exists then it will be added,
if it's already exists then rate will be updated (with zero rate in
example). Note, that IP list should match existing rule exactly.
* To flush (clean) set named "name0" (i.e. delete all rules):
# echo / > /proc/net/ipt_ratelimit/name0
* To view statistics:
# cat /proc/net/ipt_ratelimit/name0
* Stat output example and format:
10.0.1.0/24 cir 1000000 cbs 187500 ebs 375000; tc 0 te 0 last never; conf 0/0 0 bps, rej 0/0
10.0.1.0/24 IPv4 network to match,
cir 1000000 allowed rate (cir is committed information rate) in bits,
cbs 187500 normal burst (cbs is committed burst size) in bytes,
ebs 375000 extended burst (cbs is extended burst size) in bytes,
tc 0 committed token bucket counter,
te 0 extended token bucket counter (implementing extended burst),
last never how much seconds ago last packet is seen,
conf 0/0 0 bps
conforming traffic counters (pkts/bytes bitrate),
Note, that bps here is average bit rate estimation calculated
for last several seconds.
rej 0/0
rejected (or matched) traffic counters.
===========