I'm currently having trouble trying to setup a rule on IPTables to rate-limit certain packets. I can't just use the normal limit mode on iptables as this has to be per dstip and dstport.
The rule looks like this:
iptables -A PREROUTING -t raw -p udp -m hashlimit -m u32 --u32 "0x0>>0x16&0x3c@0x9&0xff=0x55" --dport 27015:27105 --hashlimit-mode dstip,dstport --hashlimit-above 500/sec --hashlimit-name PLAYERQUERY -j DROP
This seems to work correctly and will rate-limit when a significant amount comes in, however I can see random packets being dropped even when under the 500/sec limit. I'm verifying this by using wireshark across our nodes and I'm only seeing maybe 20~ a second.
Two other examples with some packets dropped too early: Same random loss with another rule:
iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80 -i eth0 --hashlimit-above 256/sec --hashlimit-burst 512 --hashlimit-mode srcip --hashlimit-name reg_html1 -m state --state NEW -j DROP
And on lo (vs eth0), the first packets matching are all dropped!
