> does this somehow explain why this whole issue doesn't apply to the loopback
Ratelimit checks are simply skipped for it, they apply only to icmps,
which are going to be sent to network.
Source of the problem was that icmp holds single variable for rate, but still
pretends to allow setting different rates for different types of messages.
Algo solves this assigning different costs to different types, but
it breaks when costs are strongly different, so that low cost one (echo reply
in this case) suppresses high cost (icmp errors) too strongly
for some short time. nmap sends tight burst of udp messages (which is crazy
anyway, icmp errors except for a few will be dropped in any case),
after echo and all the icmp errors inevitably fall to this dead interval.