Describe how the burst value influences the kernel module's token bucket in each of the two modes. Signed-off-by: Phil Sutter <phil@xxxxxx> --- Looking at the code, maybe one should make byte-based limit burst default to either zero or four times the rate value instead of the seemingly arbitrary 5 bytes. --- doc/statements.txt | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/doc/statements.txt b/doc/statements.txt index 6aaf806bcff25..af8ccb8603c67 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -332,8 +332,13 @@ ____ A limit statement matches at a limited rate using a token bucket filter. A rule using this statement will match until this limit is reached. It can be used in combination with the log statement to give limited logging. The optional -*over* keyword makes it match over the specified rate. Default *burst* is 5. -if you specify *burst*, it must be non-zero value. +*over* keyword makes it match over the specified rate. + +The *burst* value influences the bucket size, i.e. jitter tolerance. With +packet-based *limit*, the bucket holds exactly *burst* packets, by default +five. With byte-based *limit*, the bucket's minimum size is the given rate's +byte value and the *burst* value adds to that, by default five bytes. If you +specify *burst*, it must be a non-zero value. .limit statement values [options="header"] -- 2.34.1
