You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
147 lines
4.1 KiB
147 lines
4.1 KiB
.TH "Policing action in tc" 8 "20 Jan 2015" "iproute2" "Linux"
|
|
|
|
.SH NAME
|
|
police - policing action
|
|
.SH SYNOPSIS
|
|
.in +8
|
|
.ti -8
|
|
.BR tc " ... " "action police"
|
|
.BI rate " RATE " burst
|
|
.IR BYTES [\fB/ BYTES "] ["
|
|
.B mtu
|
|
.IR BYTES [\fB/ BYTES "] ] ["
|
|
.BI peakrate " RATE"
|
|
] [
|
|
.BI overhead " BYTES"
|
|
] [
|
|
.BI linklayer " TYPE"
|
|
] [
|
|
.IR CONTROL " ]"
|
|
|
|
.ti -8
|
|
.BR tc " ... " filter " ... [ " estimator
|
|
.IR "SAMPLE AVERAGE " ]
|
|
.BR "action police avrate"
|
|
.IR RATE " [ " CONTROL " ]"
|
|
|
|
.ti -8
|
|
.IR CONTROL " :="
|
|
.BI conform-exceed " EXCEEDACT\fR[\fB/\fINOTEXCEEDACT"
|
|
|
|
.ti -8
|
|
.IR EXCEEDACT/NOTEXCEEDACT " := { "
|
|
.BR pipe " | " ok " | " reclassify " | " drop " | " continue " | " goto " " chain " " CHAIN_INDEX " }"
|
|
.SH DESCRIPTION
|
|
The
|
|
.B police
|
|
action allows to limit bandwidth of traffic matched by the filter it is
|
|
attached to. Basically there are two different algorithms available to measure
|
|
the packet rate: The first one uses an internal dual token bucket and is
|
|
configured using the
|
|
.BR rate ", " burst ", " mtu ", " peakrate ", " overhead " and " linklayer
|
|
parameters. The second one uses an in-kernel sampling mechanism. It can be
|
|
fine-tuned using the
|
|
.B estimator
|
|
filter parameter.
|
|
.SH OPTIONS
|
|
.TP
|
|
.BI rate " RATE"
|
|
The maximum traffic rate of packets passing this action. Those exceeding it will
|
|
be treated as defined by the
|
|
.B conform-exceed
|
|
option.
|
|
.TP
|
|
.BI burst " BYTES\fR[\fB/\fIBYTES\fR]"
|
|
Set the maximum allowed burst in bytes, optionally followed by a slash ('/')
|
|
sign and cell size which must be a power of 2.
|
|
.TP
|
|
.BI mtu " BYTES\fR[\fB/\fIBYTES\fR]"
|
|
This is the maximum packet size handled by the policer (larger ones will be
|
|
handled like they exceeded the configured rate). Setting this value correctly
|
|
will improve the scheduler's precision.
|
|
Value formatting is identical to
|
|
.B burst
|
|
above. Defaults to unlimited.
|
|
.TP
|
|
.BI peakrate " RATE"
|
|
Set the maximum bucket depletion rate, exceeding
|
|
.BR rate .
|
|
.TP
|
|
.BI avrate " RATE"
|
|
Make use of an in-kernel bandwidth rate estimator and match the given
|
|
.I RATE
|
|
against it.
|
|
.TP
|
|
.BI overhead " BYTES"
|
|
Account for protocol overhead of encapsulating output devices when computing
|
|
.BR rate " and " peakrate .
|
|
.TP
|
|
.BI linklayer " TYPE"
|
|
Specify the link layer type.
|
|
.I TYPE
|
|
may be one of
|
|
.B ethernet
|
|
(the default),
|
|
.BR atm " or " adsl
|
|
(which are synonyms). It is used to align the precomputed rate tables to ATM
|
|
cell sizes, for
|
|
.B ethernet
|
|
no action is taken.
|
|
.TP
|
|
.BI estimator " SAMPLE AVERAGE"
|
|
Fine-tune the in-kernel packet rate estimator.
|
|
.IR SAMPLE " and " AVERAGE
|
|
are time values and control the frequency in which samples are taken and over
|
|
what timespan an average is built.
|
|
.TP
|
|
.BI conform-exceed " EXCEEDACT\fR[\fB/\fINOTEXCEEDACT\fR]"
|
|
Define how to handle packets which exceed or conform the
|
|
configured bandwidth limit. Possible values are:
|
|
.RS
|
|
.IP continue
|
|
Don't do anything, just continue with the next action in line.
|
|
.IP drop
|
|
Drop the packet immediately.
|
|
.IP shot
|
|
This is a synonym to
|
|
.BR drop .
|
|
.IP ok
|
|
Accept the packet. This is the default for conforming packets.
|
|
.IP pass
|
|
This is a synonym to
|
|
.BR ok .
|
|
.IP reclassify
|
|
Treat the packet as non-matching to the filter this action is attached to and
|
|
continue with the next filter in line (if any). This is the default for
|
|
exceeding packets.
|
|
.IP pipe
|
|
Pass the packet to the next action in line.
|
|
.SH EXAMPLES
|
|
A typical application of the police action is to enforce ingress traffic rate
|
|
by dropping exceeding packets. Although better done on the sender's side,
|
|
especially in scenarios with lack of peer control (e.g. with dial-up providers)
|
|
this is often the best one can do in order to keep latencies low under high
|
|
load. The following establishes input bandwidth policing to 1mbit/s using the
|
|
.B ingress
|
|
qdisc and
|
|
.B u32
|
|
filter:
|
|
|
|
.RS
|
|
.EX
|
|
# tc qdisc add dev eth0 handle ffff: ingress
|
|
# tc filter add dev eth0 parent ffff: u32 \\
|
|
match u32 0 0 \\
|
|
police rate 1mbit burst 100k
|
|
.EE
|
|
.RE
|
|
|
|
As an action can not live on it's own, there always has to be a filter involved as link between qdisc and action. The example above uses
|
|
.B u32
|
|
for that, which is configured to effectively match any packet (passing it to the
|
|
.B police
|
|
action thereby).
|
|
|
|
.SH SEE ALSO
|
|
.BR tc (8)
|