Having re-read Martins explanation a few times, I think we are saying the same thing - so apologies if I misunderstood you Martin, I actually think your explanation is very good. I was confused over the use of "rule doesn't match anymore" thinking you meant the --limit, but your of course meant the actual rule stops matching because the --limit is now matched. To complete the original example of --limit 10/m which would have a default --limit-burst 5 the first 5 would match the rule, then only 1 every 6mins would match. If nothing comes in within 6mins then the --limit-burst is raised from 0 to 1, and so on every 6mins. All the Best / Mit Freundlichen Gruessen Mark G. Perry IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH Schoenaicher Strasse 220, 71032 Boeblingen, Germany Email/Sametime: perry@de.ibm.com Office Tel: (+49)-7031-16-3626 ----- Forwarded by Mark Perry/Germany/Contr/IBM on 10/06/2003 15:10 ----- |---------+-----------------------------> | | Mark | | | Perry/Germany/Cont| | | r/IBM@IBMDE | | | | | | 10/06/2003 13:47 | | | | |---------+----------------------------->
-------------------------------------------------------------------------------------------------------------------------------| | | | To: lists4me@web.de, suse-security@suse.com | | cc: | | Subject: Re: [suse-security] iptables: limit | | | -------------------------------------------------------------------------------------------------------------------------------|
Forgive the intrusion to your thread, but I thought the --limit-burst was
the initial number of matches (default 5) that had to be reached BEFORE the
--limit rule is applied. The explanation given is the exact reverse of
that?
I think the idea here is so that a lightly used "rule" can be allowed to
peak higher that the basic rule (--limit) and only when the burst rate
reaches a certain threshold (--limit-burst) does the (--limit) rule come
into effect in order to throttle the throughput back below the peak.
Providing that the peak never exceeds the threshold (--limit-burst) then
the rule (--limit) is never used.
All the Best / Mit Freundlichen Gruessen
Mark G. Perry
IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH
Schoenaicher Strasse 220, 71032 Boeblingen, Germany
Email/Sametime: perry@de.ibm.com
Office Tel: (+49)-7031-16-3626
|---------+---------------------------->
| | Markus Hochmann |
| |
-------------------------------------------------------------------------------------------------------------------------------|
|
|
| To:
-------------------------------------------------------------------------------------------------------------------------------| Am Dienstag, 10. Juni 2003 12:58 schrieb Martin Köhling:
On Fri, 6 Jun 2003, Markus Hochmann wrote:
Good, but for what is the "--limit-burst" parameter? And this 10 massages, are they the first massages received or only 1 in 6 seconds?
The best explanation I've seen so far was something like this:
For every "limit" rule, there's a "bucket" containing "tokens"; whenever the rule matches, a token is removed; when the token count reaches zero, the rule doesn't match anymore.
"--limit" is the bucket refill rate. "--limit-burst" is the bucket size (number of tokens that fit). Thats really easy to understand :D Thx Markus
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here