Explain RATE and BURST in the basics doc

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-14 11:44:01 +01:00 · 2010-02-14 08:53:58 -08:00 · 2010-02-14 08:53:58 -08:00 · ba01cecbcd
commit ba01cecbcd
parent 0624451537
1 changed files with 29 additions and 3 deletions
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@ -1140,9 +1140,9 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    '!' to specify "All ports except these" (e.g., "!80,443").</para>

    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
-    url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
-    file may specify no more than 15 ports; port ranges appearing in a list
-    count as two ports each.</para>
+    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
+    (5) file may specify no more than 15 ports; port ranges appearing in a
+    list count as two ports each.</para>
  </section>

  <section id="MAC">
@ -1186,6 +1186,32 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    </note>
  </section>

+  <section id="RateLimit">
+    <title>Rate Limiting (Rate and Burst)</title>
+
+    <para>Shorewall supports rate limiting in a number of ways. When
+    specifying a rate limit, both a <firstterm>rate</firstterm> and a
+    <firstterm>burst</firstterm> value are given.</para>
+
+    <para>Example from <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5): </para>
+
+    <simplelist>
+      <member>LOGRATE=10/minute</member>
+
+      <member>LOGBURST=5</member>
+    </simplelist>
+
+    <para> For each logging rule, the first time the rule is reached, the
+    packet will be logged; in fact, since the burst is 5, the first five
+    packets will be logged. After this, it will be 6 seconds (1 minute divided
+    by the rate of 10) before a message will be logged from the rule,
+    regardless of how many packets reach it. Also, every 6 seconds which
+    passes without matching a packet, one of the bursts will be regained; if
+    no packets hit the rule for 30 seconds, the burst will be fully recharged;
+    back where we started.</para>
+  </section>
+
  <section id="Logical">
    <title>Logical Interface Names</title>