On Thursday 13 of October 2011, Jan Engelhardt wrote: > Well, burst does not specify any rate, so claiming "per second" (or > "per jiffy") does not make sense anyway. It does. The match works with jiffy granularity and if you look at the source, you'll see that no more than burst packets per jiffy can pass. > --limit 2000/s should always give you 2000 packets somehow > distributed over 1 second for any burst value <= 2000. The fact that > it does not (you observe 1000/s) hints towards what I said earlier > that high-rate matching in xt_limit and xt_hashlimit has > inaccuracies. This is not an inaccuracy, this is simple result of how the token bucket algorithm works. You can never get more than burst packets per jiffy simply because you don't get more than burst tokens. The rate you get is approximately min(avg, burst*HZ). The same problem exists in TBF: no matter what rate do you specify, real rate is effectively limited by burst*HZ (and by mtu*HZ). Fort TBF, this is even mentioned in the documentation. Michal Kubeček -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html