Hi John, Thanks for the reply. Can this rounding error be corrected or the behaviour will be to rate-limit traffic once 303 is exceeded? Regards Naveen S -----Original Message----- From: John Haxby <john.haxby@xxxxxxxxxx> Sent: Thursday, February 28, 2019 3:22 PM To: Shivegowda, Naveen (Nokia - IN/Bangalore) <naveen.shivegowda@xxxxxxxxx> Cc: netfilter@xxxxxxxxxxxxxxx Subject: Re: iptables Configured ratelimit is not same as the rule shown in Rule display > On 28 Feb 2019, at 09:28, Shivegowda, Naveen (Nokia - IN/Bangalore) <naveen.shivegowda@xxxxxxxxx> wrote: > > When I try to configure rate limit values with a certain number, in Rule display 'configured number + additional number' is shown as rate-limit value. > > iptables -A TEST -p tcp -m limit --limit 300 -j ACCEPT iptables -nvL > TEST Chain TEST (0 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 303/sec burst 5 > > Above behavior is same for rate-limit value starting from 295 until 303. > I wanted to know the reason behind additional number getting added to the original rate-limit value used during configuration. It's a rounding error. The limit you've asked for is 300/sec but as the time resolution isn't an exact multiple of 300 ticks per second you'll get a rounding error. jch
