ipt-ratelimit linux kernel module by <abc@telekom.ru> -- (c) 2015.

   An high-performance implementation of committed access rate, or simply rate
   limiting, or policing for Linux iptables. Suitable for a lot of users
   (similar to ipset) and does not have qdisc limitations.


============
= ABSTRACT =
============

  ipt-ratelimit module implements traffic policing (i.e. limiting traffic bit
  rate) using, standard for this purpose, token bucket filter (TBF) algorithm.
  Particular implementation is based on FreeBSD's implementation of Cisco's TBF
  with extended burst value (which is used to implement RED-like drop behavior).

  Module is compatible with recent linux distributions such as Debian 7, 8,
  Centos 7, and Linux kernel 3.x or above.


================
= INSTALLATION =
================

  Three easy steps:

  ** 1. Prepare Kernel source for module compilation

  What to do for Debian and Ubuntu:

      sudo# apt-get install module-assistant
      sudo# m-a prepare

  ** 2. Prepare Iptables

  What to do for Debian or Ubuntu:

      sudo# apt-get install iptables-dev pkg-config

  ** 3. Now, to actually build the module run:

      ~/ipt-ratelimit# make all install
      ~/ipt-ratelimit# depmod


===========
=  USAGE  =
===========

  * Module parameter:

    # modinfo xt_ratelimit.ko
    parm:           hashsize:default size of hash table used to look
                    up IPs (uint)

  Parameter hashsize allows to specify size of every set's hash table (default
  value is 10000). Increase if you plan to use more IPs than that. Best value
  is twice as much IPs you are planning to use.

  * iptables options:

    # iptables -m ratelimit --help
    ratelimit match options:
      --ratelimit-set <name>    Name of the ratelimit set to be used.
				DEFAULT will be used if none given.
      --ratelimit-mode <mode>   Address match: src or dst.

  Both options are mandatory. Every set should be first created with iptables
  before it will have configuration file /proc/net/ipt_ratelimit/<name>

  * To create set named "name0":

    # iptables --ratelimit-set name0 --ratelimit-mode src -j DROP

  This command will work like this:
   - match src (source) IP address of every packet in the set name0,
   - apply appropriate rate-limit rule to it,
   - and if packet is exceeding configured rate it will MATCH the rule,
   - thus, matched traffic is directed to the -j DROP target.

  Usage of set files:

    * To add IPs to the set write string in the following format:

       +IPv4[,IPv4...] bitrate [normal_burst [extended_burst]]

    Examples:

      # echo +10.0.0.1 1000000 > /proc/net/ipt_ratelimit/name0
      # echo +10.0.0.1 1000000 187500 > /proc/net/ipt_ratelimit/name0
      # echo +10.0.0.1 1000000 187500 375000 > /proc/net/ipt_ratelimit/name0

      - these three lines are equal, becasue normal burst (cbs) and extended
	burst (ebs), when not specified, are calculated automatically by
	optimal formula:

          normal_burst = bitrate * (1 byte)/(8 bits) * 1.5 seconds
          extended_burst = 2 * normal_burst

      # echo +10.0.0.1,10.0.0.2 10000000 > /proc/net/ipt_ratelimit/name0

      - add multiple IPs, rate will be calculated for them together (not
        separately). For example if you want limit client with multiple IPs.

    * To delete IPs from the set:

      # echo -10.0.0.1 > /proc/net/ipt_ratelimit/name0
      # echo -10.0.0.1,10.0.0.2 > /proc/net/ipt_ratelimit/name0

      If you want to always delete before add, but don't want to see deletion
      error message on console or dmesg, prepend delete command with '@':

      # echo @-10.0.0.1 > /proc/net/ipt_ratelimit/name0

    * Update rates for existing rules:

      # echo @+10.0.0.1 0 > /proc/net/ipt_ratelimit/name0

      With this, if rule is not already exists then it will be added,
      if it's already exists then rate will be updated (with zero rate in
      example). Note, that IP list should match existing rule exactly.

    * To flush (clean) set named "name0" (i.e. delete all rules):

      # echo / > /proc/net/ipt_ratelimit/name0
      or
      # echo :flush > /proc/net/ipt_ratelimit/name0

    * Change what to do with packets whose IP do not exist in the set

      # echo :hotdrop > /proc/net/ipt_ratelimit/name0

      Use iptables hotdrop to forcefully drop packets directly from
      te match rule, no matter what is in the -j target.

      # echo :match > /proc/net/ipt_ratelimit/name0

      'Match' these packets (same as if they are exceeding rate limits),
      thus, -j target will be triggered, which is usually should be DROP.

      # echo :nomatch > /proc/net/ipt_ratelimit/name0

      Disable aforementioned :match or :hotdrop behavior, returning to default.

    * To view statistics:

      # cat /proc/net/ipt_ratelimit/name0

    * Stat output example and format:

    10.0.1.5 cir 1000000 cbs 187500 ebs 375000; tc 0 te 0 last never; conf 0/0 0 bps, rej 0/0 0 bps

      10.0.1.5     IP to match,
      cir 1000000  allowed rate   (cir is committed information rate) in bits,
      cbs 187500   normal burst   (cbs is committed burst size) in bytes,
      ebs 375000   extended burst (cbs is extended burst size) in bytes,
      tc 0         committed token bucket counter,
      te 0         extended token bucket counter (implementing extended burst),
      last never   how much seconds ago last packet is seen,
      conf 0/0 0 bps
                   conforming traffic counters (pkts/bytes bitrate),
		   Note, that bitrate here is calculated from the first seen to
		   the last seen packet, not to the 'now'.
      rej 0/0 0 bps
                   rejected (or matched) traffic counters.


===========
