1Policing action in tc(8) Linux Policing action in tc(8)
2
6 police - policing action
7
9 tc ... action police rate RATE burst BYTES[/BYTES] [ mtu BYTES[/BYTES]
10 ] [ peakrate RATE ] [ overhead BYTES ] [ linklayer TYPE ] [
11 CONTROL ]
12 tc ... filter ... [ estimator SAMPLE AVERAGE ] action police avrate
14 RATE [ CONTROL ]
15 CONTROL := conform-exceed EXCEEDACT[/NOTEXCEEDACT
17 EXCEEDACT/NOTEXCEEDACT := { pipe | ok | reclassify | drop | continue |
19 goto chain CHAIN_INDEX }
20
22 The police action allows to limit bandwidth of traffic matched by the
23 filter it is attached to. Basically there are two different algorithms
24 available to measure the packet rate: The first one uses an internal
25 dual token bucket and is configured using the rate, burst, mtu,
26 peakrate, overhead and linklayer parameters. The second one uses an in-
27 kernel sampling mechanism. It can be fine-tuned using the estimator
28 filter parameter.
29
31 rate RATE
32 The maximum traffic rate of packets passing this action. Those
33 exceeding it will be treated as defined by the conform-exceed
34 option.
35 burst BYTES[/BYTES]
37 Set the maximum allowed burst in bytes, optionally followed by a
38 slash ('/') sign and cell size which must be a power of 2.
39 mtu BYTES[/BYTES]
41 This is the maximum packet size handled by the policer (larger
42 ones will be handled like they exceeded the configured rate).
43 Setting this value correctly will improve the scheduler's preci‐
44 sion. Value formatting is identical to burst above. Defaults to
45 unlimited.
46 peakrate RATE
48 Set the maximum bucket depletion rate, exceeding rate.
49 avrate RATE
51 Make use of an in-kernel bandwidth rate estimator and match the
52 given RATE against it.
53 overhead BYTES
55 Account for protocol overhead of encapsulating output devices
56 when computing rate and peakrate.
57 linklayer TYPE
59 Specify the link layer type. TYPE may be one of ethernet (the
60 default), atm or adsl (which are synonyms). It is used to align
61 the precomputed rate tables to ATM cell sizes, for ethernet no
62 action is taken.
63 estimator SAMPLE AVERAGE
65 Fine-tune the in-kernel packet rate estimator. SAMPLE and AVER‐
66 AGE are time values and control the frequency in which samples
67 are taken and over what timespan an average is built.
68 conform-exceed EXCEEDACT[/NOTEXCEEDACT]
70 Define how to handle packets which exceed or conform the config‐
71 ured bandwidth limit. Possible values are:
72 continue
74 Don't do anything, just continue with the next action in
75 line.
76 drop Drop the packet immediately.
78 shot This is a synonym to drop.
80 ok Accept the packet. This is the default for conforming
82 packets.
83 pass This is a synonym to ok.
85 reclassify
87 Treat the packet as non-matching to the filter this
88 action is attached to and continue with the next filter
89 in line (if any). This is the default for exceeding pack‐
90 ets.
91 pipe Pass the packet to the next action in line.
93
95 A typical application of the police action is to enforce ingress traf‐
96 fic rate by dropping exceeding packets. Although better done on the
97 sender's side, especially in scenarios with lack of peer control (e.g.
98 with dial-up providers) this is often the best one can do in order to
99 keep latencies low under high load. The following establishes input
100 bandwidth policing to 1mbit/s using the ingress qdisc and u32 filter:
101 # tc qdisc add dev eth0 handle ffff: ingress
103 # tc filter add dev eth0 parent ffff: u32 \
104 match u32 0 0 \
105 police rate 1mbit burst 100k
106 As an action can not live on it's own, there always has to be a filter
108 involved as link between qdisc and action. The example above uses u32
109 for that, which is configured to effectively match any packet (passing
110 it to the police action thereby).
111
114 tc(8)
115iproute2 20 Jan 2015 Policing action in tc(8)