On Thursday 13 of October 2011, Jan Engelhardt wrote:
> Well, burst does not specify any rate, so claiming "per second" (or
> "per jiffy") does not make sense anyway.
It does. The match works with jiffy granularity and if you look at the
source, you'll see that no more than burst packets per jiffy can pass.
> --limit 2000/s should always give you 2000 packets somehow
> distributed over 1 second for any burst value <= 2000. The fact that
> it does not (you observe 1000/s) hints towards what I said earlier
> that high-rate matching in xt_limit and xt_hashlimit has
> inaccuracies.
This is not an inaccuracy, this is simple result of how the token bucket
algorithm works. You can never get more than burst packets per jiffy
simply because you don't get more than burst tokens. The rate you get is
approximately min(avg, burst*HZ).
The same problem exists in TBF: no matter what rate do you specify, real
rate is effectively limited by burst*HZ (and by mtu*HZ). Fort TBF, this
is even mentioned in the documentation.
Michal Kubeček
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
