I'm looking for a solution to rate-limit on an ip basis. How many packets can the hashlimit iptables module handle on a recent Intel x86_64 CPU core? 1.000/sec? 1.000.000/sec?
Iptables – How efficient is iptables’ hashlimit module
iptablesperformancerate-limiting
Related Topic
- Iptables – Limiting bandwidth with hashlimit (e.g. kb/s — not connections!) doesn’t work, though the man page says it should
- Linux – Source IP rate limiting in iptables: hashlimit vs recent
- Iptables hashlimit memory usage: What is the difference between –hashlimit-htable-size and –hashlimit-htable-max
- Iptables – How does iptables –hitcount collect its values
- Linux – IPTables + Limit module: Why doesn’t limit-burst get completely used
- Iptables – Performance of iptables
Best Answer
The most relevant additional machinery netfilter has to goes through, for what I see from the source, is hashing new entries, updating entry credits, looking up entries, and cleanup of the underlying hash tables you require (see /proc/net/ipt_hashlimit ).
Because hash tables are used, all those operations are constant time, and quite fast, except table cleanup. The latter is expensive if you have many requests from all different users.
If I have to make a rough estimate for the hashlimit overhead I would add max 15% to the cost of processing a standard rule set. As usual, the best way to tell is to measure. If you do, update this post :)
As a side note, you might want to check out the PF rate limiting option on BSD.