Giter Site home page Giter Site logo

Ratelimit rules order? about ipt-ratelimit HOT 13 CLOSED

aabc avatar aabc commented on July 24, 2024
Ratelimit rules order?

from ipt-ratelimit.

Comments (13)

aabc avatar aabc commented on July 24, 2024

This should already work. If it supposedly isn't, test and prove it's not working.

from ipt-ratelimit.

dashkevichdmitry avatar dashkevichdmitry commented on July 24, 2024

I test speed and based on it create issue.

These IP are OpenVPN users. OpenVPN run on Android tablet. I test speed by speedtest app.
Add first rules with limit by one IP, connect OpenVPN by user with IP .101, run test and get 1mbit, then disconnect and connect as user with IP .100 and get 10mbit speed (server or tablet, or channel can't get full 100mbit but isn't 1mbit), all fine.
Then change rules, repeat test and get 1mbit for two users.

What can I provide for debug?

from ipt-ratelimit.

aabc avatar aabc commented on July 24, 2024
  1. Reload ratelimit rules, so that counters are clean.
  2. When you testing IP .100 and get 20mbit speed in the middle of the test cat /proc/net/ipt_ratelimit/ files, and copy paste here their content. That should show which rules are triggering.

from ipt-ratelimit.

dashkevichdmitry avatar dashkevichdmitry commented on July 24, 2024

Under "reload" I understand need clear set file?

root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/fullspeeddst
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/fullspeedsrc
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/limitdst
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/limitsrc
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeedsrc
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeeddst
root@ubuntu:~# echo +10.8.0.101 1000000 > /proc/net/ipt_ratelimit/limitdst
root@ubuntu:~# echo +10.8.0.101 1000000 > /proc/net/ipt_ratelimit/limitsrc

Run test

root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeeddst
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 0 te 0 last 2736; conf 15177/12664727 0 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeedsrc
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 324 te 0 last 19; conf 18691/17732314 7074 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitdst
10.8.0.101 cir 1000000 cbs 187500 ebs 375000; tc 0 te 0 last 2117; conf 464/374141 0 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitsrc
10.8.0.101 cir 1000000 cbs 187500 ebs 375000; tc 0 te 0 last 4009; conf 526/62639 0 bps, rej 0/0

Change rules

root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/fullspeeddst
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/fullspeedsrc
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/limitdst
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/limitsrc
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeedsrc
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeeddst
root@ubuntu:~# echo +10.8.0.100/24 1000000 > /proc/net/ipt_ratelimit/limitsrc
root@ubuntu:~# echo +10.8.0.100/24 1000000 > /proc/net/ipt_ratelimit/limitdst

Run test

root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeeddst
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 80 te 0 last 64; conf 6690/2655256 88550 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeedsrc
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 0 te 0 last 138; conf 7988/8762750 474412 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitdst
10.8.0.0/24 cir 1000000 cbs 187500 ebs 375000; tc 0 te 163890 last 7; conf 6373/2060542 1656 bps, rej 440/607401
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitsrc
10.8.0.0/24 cir 1000000 cbs 187500 ebs 375000; tc 0 te 354443 last 3; conf 7028/7409030 2954 bps, rej 1011/1357078

Speedtest screeshot

from ipt-ratelimit.

aabc avatar aabc commented on July 24, 2024

It's hard to comprehend this stat because test performed not like I requested it and stat is dirty with noise data.

  1. I don't need two tests, I only need single test with incorrect ratelimiting.
  2. Clean the set rules just before the test, so that counters are zero.
  3. Run test from IP 10.8.0.100. Make sure your test IP is 10.8.0.100. I don't see proof of that in your data. Screenshot does not show your IP.
  4. In the middle of the test cat /proc/net/ipt_ratelimit/ files. Just upload or download test is enough. For example, in the middle of download. I just want to see for certain where counters are increasing.

from ipt-ratelimit.

dashkevichdmitry avatar dashkevichdmitry commented on July 24, 2024

10.8.0.100 proof
While run test other user not connected to VPN.

root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/fullspeeddst
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/fullspeedsrc
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/limitdst
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/limitsrc
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeedsrc
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeeddst
root@ubuntu:~# echo +10.8.0.100/24 1000000 > /proc/net/ipt_ratelimit/limitsrc
root@ubuntu:~# echo +10.8.0.100/24 1000000 > /proc/net/ipt_ratelimit/limitdst
root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeeddst
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 0 te 0 last never; conf 0/0 0 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeedsrc
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 0 te 0 last never; conf 0/0 0 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitdst
10.8.0.0/24 cir 1000000 cbs 187500 ebs 375000; tc 0 te 0 last never; conf 0/0 0 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitsrc
10.8.0.0/24 cir 1000000 cbs 187500 ebs 375000; tc 0 te 0 last never; conf 0/0 0 bps, rej 0/0

Run test and at middle of download run cat

root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeeddst
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 0 te 0 last 3; conf 1089/1419961 715600 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeedsrc
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 104 te 0 last 2; conf 884/61227 33452 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitdst
10.8.0.0/24 cir 1000000 cbs 187500 ebs 375000; tc 280804 te 93304 last 0; conf 770/975966 515292 bps, rej 321/445496
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitsrc
10.8.0.0/24 cir 1000000 cbs 187500 ebs 375000; tc 104 te 0 last 4; conf 884/61227 33452 bps, rej 0/0

from ipt-ratelimit.

aabc avatar aabc commented on July 24, 2024

I misinterpreted your set up at first, so test wasn't really necessary, and everything is seems working correctly.

from ipt-ratelimit.

dashkevichdmitry avatar dashkevichdmitry commented on July 24, 2024

So, for correct ratelimit I need create separate rules for IP .100 and for other IP, but if one rule overlap other rules, module use last one?

from ipt-ratelimit.

aabc avatar aabc commented on July 24, 2024

Answer two questions:

  • Why you create four sets and not just two?
  • Why you put just one rule per set?

from ipt-ratelimit.

dashkevichdmitry avatar dashkevichdmitry commented on July 24, 2024

I'am guest in Linux.

Why you put just one rule per set?

Understood my mistake, I can add both rules in one set file

Why you create four sets and not just two?

Looked at readme and thinked need create separate set for src and dst. If not add ratelimit-mode param set will be use for both, src and dst?

from ipt-ratelimit.

aabc avatar aabc commented on July 24, 2024

Why you create 4 sets and not just 2?

from ipt-ratelimit.

dashkevichdmitry avatar dashkevichdmitry commented on July 24, 2024

After understood mistake, I make this, all work fine

iptables -A FORWARD -m ratelimit --ratelimit-set myset --ratelimit-mode src -j DROP
iptables -A FORWARD -m ratelimit --ratelimit-set myset --ratelimit-mode dst -j DROP
echo / > /proc/net/ipt_ratelimit/myset
echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/myset
echo +10.8.0.101 100000000 > /proc/net/ipt_ratelimit/myset
echo +10.8.0.100/24 1000000 > /proc/net/ipt_ratelimit/myset

from ipt-ratelimit.

aabc avatar aabc commented on July 24, 2024

Grats!

from ipt-ratelimit.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.