1Policing action in tc(8)             Linux            Policing action in tc(8)
2
3
4

NAME

6       police - policing action
7

SYNOPSIS

9       tc  ... action police rate RATE burst BYTES[/BYTES] [ mtu BYTES[/BYTES]
10               ] [ peakrate RATE ] [ overhead BYTES ] [  linklayer  TYPE  ]  [
11               CONTROL ]
12
13       tc  ...  filter  ...  [ estimator SAMPLE AVERAGE ] action police avrate
14               RATE [ CONTROL ]
15
16       CONTROL := conform-exceed EXCEEDACT[/NOTEXCEEDACT
17
18       EXCEEDACT/NOTEXCEEDACT := { pipe | ok | reclassify | drop | continue  |
19               goto chain CHAIN_INDEX }
20

DESCRIPTION

22       The  police  action allows to limit bandwidth of traffic matched by the
23       filter it is attached to. Basically there are two different  algorithms
24       available  to  measure  the packet rate: The first one uses an internal
25       dual token bucket  and  is  configured  using  the  rate,  burst,  mtu,
26       peakrate, overhead and linklayer parameters. The second one uses an in-
27       kernel sampling mechanism. It can be  fine-tuned  using  the  estimator
28       filter parameter.
29

OPTIONS

31       rate RATE
32              The  maximum  traffic rate of packets passing this action. Those
33              exceeding it will be treated as defined  by  the  conform-exceed
34              option.
35
36       burst BYTES[/BYTES]
37              Set the maximum allowed burst in bytes, optionally followed by a
38              slash ('/') sign and cell size which must be a power of 2.
39
40       mtu BYTES[/BYTES]
41              This is the maximum packet size handled by the  policer  (larger
42              ones  will  be  handled like they exceeded the configured rate).
43              Setting this value correctly will improve the scheduler's preci‐
44              sion.  Value formatting is identical to burst above. Defaults to
45              unlimited.
46
47       peakrate RATE
48              Set the maximum bucket depletion rate, exceeding rate.
49
50       avrate RATE
51              Make use of an in-kernel bandwidth rate estimator and match  the
52              given RATE against it.
53
54       overhead BYTES
55              Account  for  protocol  overhead of encapsulating output devices
56              when computing rate and peakrate.
57
58       linklayer TYPE
59              Specify the link layer type.  TYPE may be one of  ethernet  (the
60              default),  atm or adsl (which are synonyms). It is used to align
61              the precomputed rate tables to ATM cell sizes, for  ethernet  no
62              action is taken.
63
64       estimator SAMPLE AVERAGE
65              Fine-tune the in-kernel packet rate estimator.  SAMPLE and AVER‐
66              AGE are time values and control the frequency in  which  samples
67              are taken and over what timespan an average is built.
68
69       conform-exceed EXCEEDACT[/NOTEXCEEDACT]
70              Define how to handle packets which exceed or conform the config‐
71              ured bandwidth limit. Possible values are:
72
73              continue
74                     Don't do anything, just continue with the next action  in
75                     line.
76
77              drop   Drop the packet immediately.
78
79              shot   This is a synonym to drop.
80
81              ok     Accept  the  packet.  This  is the default for conforming
82                     packets.
83
84              pass   This is a synonym to ok.
85
86              reclassify
87                     Treat the packet  as  non-matching  to  the  filter  this
88                     action  is  attached to and continue with the next filter
89                     in line (if any). This is the default for exceeding pack‐
90                     ets.
91
92              pipe   Pass the packet to the next action in line.
93

EXAMPLES

95       A  typical application of the police action is to enforce ingress traf‐
96       fic rate by dropping exceeding packets. Although  better  done  on  the
97       sender's  side, especially in scenarios with lack of peer control (e.g.
98       with dial-up providers) this is often the best one can do in  order  to
99       keep  latencies  low  under  high load. The following establishes input
100       bandwidth policing to 1mbit/s using the ingress qdisc and u32 filter:
101
102              # tc qdisc add dev eth0 handle ffff: ingress
103              # tc filter add dev eth0 parent ffff: u32 \
104                   match u32 0 0 \
105                   police rate 1mbit burst 100k
106
107       As an action can not live on it's own, there always has to be a  filter
108       involved  as  link between qdisc and action. The example above uses u32
109       for that, which is configured to effectively match any packet  (passing
110       it to the police action thereby).
111
112

SEE ALSO

114       tc(8)
115
116
117
118iproute2                          20 Jan 2015         Policing action in tc(8)
Impressum