iptables limit --limit limitations

iptables limit --limit limitations

[Payam Chychi]

Hi,

Has anyone experienced any limitations when implementing the "limit
--limit $value/sec"  ? I can only get 1000 packets/sec with a value of
1000 or 10000  with a burst of 5. Ive been able to increase the
packets to almost 7500 packers/sec when using a value of 10000 with a
burst of 20.

Ive also tried increasing the HZ for High res timer on the kernel to
1000 and enabled dynamic ticks (thanks to kuzin)
any thoughts or ideas on this? I would greatly appreciate any feedback...

Thanks,
Payam

Re: iptables limit --limit limitations

[Jan Engelhardt]

On Saturday 2008-05-17 09:20, Payam Chychi wrote:

>Hi,
>
>Has anyone experienced any limitations when implementing the "limit
>--limit $value/sec"  ? I can only get 1000 packets/sec with a value of
>1000 or 10000  with a burst of 5. Ive been able to increase the
>packets to almost 7500 packers/sec when using a value of 10000 with a
>burst of 20.
>
>Ive also tried increasing the HZ for High res timer on the kernel to
>1000 and enabled dynamic ticks (thanks to kuzin)
>any thoughts or ideas on this? I would greatly appreciate any feedback...


It is known that the algorithm in limit and hashlimit are not quite 
accurate. Though, we seem to be out of solutions, too.

Re: iptables limit --limit limitations

[Jesper Dangaard Brouer]

Jan Engelhardt <jengelh <at> medozas.de> writes:

> It is known that the algorithm in limit and hashlimit are not quite 
> accurate. Though, we seem to be out of solutions, too.

Here is a paper on it here:
 http://people.netfilter.org/acidfu/papers/limit-tbf-analysis.pdf

I don't know if the solution proposed has been implemented (and accepted
upstream)???

Cheers,
 Jesper Brouer