I believe that's true. Even i did check that through logging when was about to present this to my students in network security course. This is coarsely analogous to a tap that leaks in a bucket every fixed amount of time in order to fill it, but the bucket rejects the new drops when it is full. On Wed, 23 Mar 2005 08:59:11 -0500 (EST), Robert P. J. Day <rpjday@xxxxxxxxxxxxxx> wrote: > On Wed, 23 Mar 2005, Jason Opperisano wrote: > > > On Wed, 2005-03-23 at 03:21, ASHISH wrote: > > > The rule that you have mentioned will "Accept" the first five matches. > > > > to split hairs here--the way the OP has the rule written: > > > > iptables -A INPUT -i eth0 -m limit --limit 5/m --limit-burst 5 -j ACCEPT > > > > it will actually accept the first 10 packets, the limit of 5 + the burst > > of 5--then the limit will enforce for 5 minutes. > > huh? i'm pretty sure that's not true, as i remember figuring this out > once upon a time. i'll go back to my notes but, as i *remember* it, > it's easiest to think in terms of tokens. "limit-burst" means you get > that many tokens with which to "pay" to accept incoming packets. if > you start with a limit burst of, say, 20, then you can accept the > first 20 packets, regardless of how fast they arrive -- they just cost > you all of your tokens almost immediately. > > the "limit" of 5/m means that you are replenished with another token > at that rate -- effectively every 12 seconds -- but only up to your > limit-burst maximum of 20. > > what this means is that, if you're getting just hammered, when you > start, you'll accept the first 20 packets and, after that, another one > every 12 seconds. if things quiet down, then you're allowed to build > up your reserve of tokens again, but only up to your burst-limit. > > i actually set up a set of rules once and *watched* this happen. > > does that make sense? > > rday > > -- cheers Ashish
