[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Can't confirm limit rule works with tcpdump output.
From:       Matthew Schumacher <matt.s () aptalaska ! net>
Date:       2004-07-29 23:04:47
Message-ID: 4109828F.90609 () aptalaska ! net
[Download RAW message or body]

Ok I have this rule in my firewall:

iptables -A INPUT -p udp -d <HOSTA> --dport 1646 -m limit ! --limit 
10/sec --limit-burst 20 -j LOG --log-prefix "IPTABLES Radius limit: "

 From what I have read this should create a bucket that can hold 20 
tokens and fill it at a rate of 10 tokens per second.  For every packet 
with the DST address <HOSTA> on port 1646 take a token out of the 
bucket.  If the bucket is completely empty then match (because of 
negation) and process the LOG target.

This is not what happens because my tcpdump output shows nothing close 
to 10 packets per second yet the rule matches and logs.

I know I'm missing something here can someone point it out to me?

Thanks,
schu

[prev in list] [next in list] [prev in thread] [next in thread]