iptables hashlimit with same name matches on first rule

Solution Unverified - Updated -

Issue

  • iptables hashlimit with same name matches on first rule
  • Where there are two iptables --hashlimit rules with the same --hashlimit-name, only the first ratelimit applies and the second bandwidth limit is ignored
  • The following iptables rules should result in 100MB/sec limit on one subnet, and 50MB/sec limit on the other, but actually result in 100MB/sec limit on both:
-A OUTPUT -d  172.16.2.0/24 -o net0 -m hashlimit --hashlimit-above 100mb/s --hashlimit-mode dstip --hashlimit-name LIMIT -j DROP
-A OUTPUT -d 172.16.20.0/24 -o net0 -m hashlimit --hashlimit-above  50mb/s --hashlimit-mode dstip --hashlimit-name LIMIT -j DROP
-A OUTPUT -d  172.16.2.0/24 -o net0 -j ACCEPT
-A OUTPUT -d 172.16.20.0/24 -o net0 -j ACCEPT

Environment

  • Red Hat Enterprise Linux 7
  • iptables firewall with hashlimit rate limit applied

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In